TP-Link T2600G Series User Manual
  1. Manuals
  2. Brands
  3. TP-Link Manuals
  4. Switch
  5. T2600G Series
  6. User manual

TP-Link T2600G Series User Manual

Hide thumbs
1
Table Of Contents
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

User Guide
T2600G Series Switches
T2600G-18TS / T2600G-28TS (TL-SG3424) / T2600G-28TS-DC/
T2600G-28MPS (TL-SG3424P) / T2600G-28SQ / T2600G-52TS (TL-SG3452)
1910012657 REV4.2.0
December 2019

Advertisement

Table of Contents
loading

Related Manuals for TP-Link T2600G Series

Summary of Contents for TP-Link T2600G Series

  • Page 1 User Guide T2600G Series Switches T2600G-18TS / T2600G-28TS (TL-SG3424) / T2600G-28TS-DC/ T2600G-28MPS (TL-SG3424P) / T2600G-28SQ / T2600G-52TS (TL-SG3452) 1910012657 REV4.2.0 December 2019...

  • Page 2: Table Of Contents

    CONTENTS About This Guide Intended Readers ................................1 Conventions ................................... 1 More Information ................................. 2 Accessing the Switch Overview ....................................4 Web Interface Access ................................ 5 Login ..........................................5 Save the Configuration File ..................................6 Disable the Web Server ..................................7 Configure the Switch's IP Address and Default Gateway ....................8 Command Line Interface Access ..........................
  • Page 3 Configuring the System Time ............................32 Configuring the Daylight Saving Time ...........................34 User Management Configurations ..........................37 Using the GUI ......................................37 Creating Accounts ...................................37 Configuring Enable Password ............................38 Using the CLI ......................................39 Creating Accounts ...................................39 Configuring Enable Password ............................41 System Tools Configurations ............................43 Using the GUI ......................................43 Configuring the Boot File ..............................43 Restoring the Configuration of the Switch .........................45...
  • Page 4 Time Range Configuration ............................. 73 Using the GUI ......................................73 Adding Time Range Entries ..............................73 Configuring Holiday .................................75 Using the CLI ......................................76 Adding Time Range Entries ..............................76 Configuring Holiday .................................77 Example for PoE Configurations ..........................79 Network Requirements ..................................79 Configuring Scheme .....................................79 Using the GUI ......................................79 Using the CLI ......................................82 Appendix: Default Parameters .............................
  • Page 5 Using the CLI ....................................105 Appendix: Default Parameters ...........................106 Configuring LAG LAG .......................................108 Overview ........................................108 Supported Features ...................................108 LAG Configuration ................................109 Using the GUI ......................................110 Configuring Load-balancing Algorithm ........................110 Configuring Static LAG or LACP............................111 Using the CLI ......................................113 Configuring Load-balancing Algorithm ........................113 Configuring Static LAG or LACP............................114 Configuration Examples ...............................118 Example for Static LAG ..................................118...
  • Page 6 Configuring the Threshold ..............................135 Viewing DDM Configuration .............................141 Viewing DDM Status ................................142 Appendix: Default Parameters ...........................143 Managing MAC Address Table MAC Address Table ...............................145 Overview ........................................145 Supported Features ...................................145 Address Configurations ...............................147 Using the GUI ......................................147 Adding Static MAC Address Entries ..........................147 Modifying the Aging Time of Dynamic Address Entries...................149 Adding MAC Filtering Address Entries........................150 Viewing Address Table Entries ............................150...
  • Page 7 Configuring the VLAN ................................169 Configuring the Port Parameters for 802.1Q VLAN ...................170 Using the CLI ......................................171 Creating a VLAN ..................................171 Adding the Port to the Specified VLAN ........................172 Configuring the Port ................................173 Configuration Example ..............................175 Network Requirements ..................................175 Configuration Scheme ..................................175 Network Topology ....................................176 Using the GUI ......................................176 Using the CLI ......................................179...
  • Page 8 Creating Protocol Template ............................203 Configuring Protocol VLAN .............................204 Using the CLI ......................................205 Configuring 802.1Q VLAN ..............................205 Creating a Protocol Template ............................205 Configuring Protocol VLAN ..............................206 Configuration Example ..............................209 Network Requirements ..................................209 Configuration Scheme ..................................209 Using the GUI ......................................211 Using the CLI ......................................217 Appendix: Default Parameters ...........................221 Configuring VLAN-VPN VLAN-VPN ..................................223...
  • Page 9 Using the CLI ....................................252 Appendix: Default Parameters ...........................255 Configuring GVRP Overview ....................................257 GVRP Configuration ...............................258 Using the GUI ......................................259 Using the CLI ......................................260 Configuration Example ..............................263 Network Requirements ..................................263 Configuration Scheme ..................................263 Using the GUI ......................................264 Using the CLI ......................................268 Appendix: Default Parameters ...........................272 Configuring Private VLAN Overview ....................................274...
  • Page 10 Configuring IGMP Snooping Globally .........................297 Configuring IGMP Snooping for VLANs ........................298 Configuring IGMP Snooping for Ports ........................302 Configuring Hosts to Statically Join a Group ......................302 Configuring IGMP Accounting and Authentication Features ................303 Using the CLI ......................................305 Configuring IGMP Snooping Globally .........................305 Configuring IGMP Snooping for VLANs ........................306 Configuring IGMP Snooping for Ports ........................311 Configuring Hosts to Statically Join a Group ......................312...
  • Page 11 Creating the Multicast Profile ............................343 Binding the Profile to Ports ...............................346 Viewing Multicast Snooping Information .......................350 Using the GUI ......................................350 Viewing IPv4 Multicast Table ............................350 Viewing IPv4 Multicast Statistics on Each Port .....................351 Viewing IPv6 Multicast Table ............................352 Viewing IPv6 Multicast Statistics on Each Port .....................353 Using the CLI ......................................354 Viewing IPv4 Multicast Snooping Information .......................354 Viewing IPv6 Multicast Snooping Configurations ....................354...
  • Page 12 Default Parameters for Multicast Filtering ..........................381 Configuring Spanning Tree Spanning Tree ..................................383 Overview ........................................383 Basic Concepts ....................................383 STP/RSTP Concepts ................................383 MSTP Concepts ..................................387 STP Security ......................................388 STP/RSTP Configurations ............................391 Using the GUI ......................................391 Configuring STP/RSTP Parameters on Ports ......................391 Configuring STP/RSTP Globally .............................393 Verifying the STP/RSTP Configurations ........................395 Using the CLI ......................................397 Configuring STP/RSTP Parameters on Ports ......................397...
  • Page 13 Using the CLI ......................................435 Appendix: Default Parameters ...........................442 Configuring LLDP LLDP .....................................445 Overview ........................................445 Supported Features ...................................445 LLDP Configurations ..............................446 Using the GUI ......................................446 Configuring LLDP Globally ..............................446 Configuring LLDP For the Port ............................448 Using the CLI ......................................449 Global Config ....................................449 Port Config ....................................451 LLDP-MED Configurations ............................454 Using the GUI ......................................454...
  • Page 14 Network Requirements ...............................476 Configuration Scheme ................................476 Using the GUI ....................................476 Using CLI .....................................479 Appendix: Default Parameters ...........................482 Configuring L2PT Overview ....................................484 L2PT Configuration ................................486 Using the GUI ......................................486 Using the CLI ......................................487 Configuration Example ..............................491 Network Requirements ..................................491 Configuration Scheme ..................................491 Using the GUI ......................................491 Using the CLI ......................................492 Appendix: Default Parameters ...........................494...
  • Page 15 Configuration Example ..........................517 Network Requirement ........................... 517 Configuration Scheme ..........................517 Using the GUI ..............................517 Using the CLI ......................................518 Appendix: Default Parameters ...........................520 Configuring Routing Overview ....................................522 IPv4 Static Routing Configuration ..........................523 Using the GUI ......................................523 Using the CLI ......................................524 IPv6 Static Routing Configuration ..........................525 Using the GUI ......................................525 Using the CLI ......................................526...
  • Page 16 Using the CLI ......................................545 Enabling DHCP Server ................................545 Configuring DHCP Server Pool ............................548 Configuring Manual Binding .............................551 DHCP Relay Configuration ............................553 Using the GUI ......................................553 Enabling DHCP Relay and Configuring Option 82 ....................553 Configuring DHCP Interface Relay ..........................555 Configuring DHCP VLAN Relay ............................555 Using the CLI ......................................557 Enabling DHCP Relay ................................557 (Optional) Configuring Option 82 ..........................558...
  • Page 17 Network Requirements ...............................589 Configuration Scheme ................................590 Configuring the DHCP Relay Switch..........................591 Configuring the DHCP Server ............................593 Example for DHCP L2 Relay ................................595 Network Requirements ...............................595 Configuration Scheme ................................595 Configuring the DHCP Relay Switch..........................596 Configuring the DHCP Server ............................599 Appendix: Default Parameters ...........................601 Configuring ARP Overview ....................................605 Supported Features ...................................605...
  • Page 18 Using CLI ........................................634 Configuring Port Priority ..............................634 Configuring 802.1p Priority ..............................636 Configuring DSCP Priority ..............................639 Specifying the Scheduler Settings ..........................645 Bandwidth Control Configuration ..........................647 Using the GUI ......................................647 Configuring Rate Limit .................................647 Configuring Storm Control ...............................648 Using the CLI ......................................649 Configuring Rate Limit .................................649 Configuring Storm Control ...............................650 Voice VLAN Configuration ............................653...
  • Page 19 Configuring Access Security Access Security ................................695 Overview ........................................695 Supported Features ...................................695 Access Security Configurations ..........................696 Using the GUI ......................................696 Configuring the Access Control Feature ........................696 Configuring the HTTP Function .............................699 Configuring the HTTPS Function ..........................701 Configuring the SSH Feature ............................704 Configuring the Telnet Function ............................705 Configuring the Serial Port Parameters........................706 Using the CLI ......................................706...
  • Page 20 Network Requirements ..................................740 Configuration Scheme ..................................740 Using the GUI ......................................741 Using the CLI ......................................744 Appendix: Default Parameters ...........................746 Configuring 802.1x Overview ....................................749 802.1x Configuration ..............................750 Using the GUI ......................................750 Configuring the RADIUS Server .............................750 Configuring 802.1x Globally .............................753 Configuring 802.1x on Ports ............................754 View the Authenticator State ............................756 Using the CLI ......................................757 Configuring the RADIUS Server .............................757...
  • Page 21 Using the GUI ......................................781 Configuring Time Range ..............................781 Creating an ACL ..................................781 Configuring ACL Rules ................................782 Configuring MAC ACL Rule ..........................782 Configuring IP ACL Rule .............................786 Configuring Combined ACL Rule ........................790 Configuring the IPv6 ACL Rule ........................795 Configuring the Packet Content ACL Rule ....................799 Configuring ACL Binding ..............................803 Using the CLI ......................................805 Configuring Time Range ..............................805...
  • Page 22 Supported Features ...................................847 IP-MAC Binding Configuration ...........................848 Using the GUI ......................................848 Binding Entries Manually ..............................848 Binding Entries via ARP Scanning ..........................850 Binding Entries via DHCP Snooping ..........................851 Viewing the Binding Entries ..............................853 Using the CLI ......................................854 Binding Entries Manually ..............................854 Binding Entries via DHCP Snooping ..........................856 Viewing Binding Entries ..............................857 ARP Detection Configuration .............................858...
  • Page 23 Using the GUI ....................................873 Using the CLI ....................................875 Appendix: Default Parameters ...........................877 Configuring IPv6 IMPB IPv6 IMPB ...................................880 Overview ........................................880 Supported Features ...................................880 IPv6-MAC Binding Configuration ..........................882 Using the GUI ......................................882 Binding Entries Manually ..............................882 Binding Entries via ND Snooping ...........................884 Binding Entries via DHCPv6 Snooping........................885 Viewing the Binding Entries ..............................887 Using the CLI ......................................888...
  • Page 24 Configuration Examples ...............................901 Example for ND Detection ................................901 Network Requirements ...............................901 Configuration Scheme ................................901 Using the GUI ....................................902 Using the CLI ....................................904 Example for IPv6 Source Guard ..............................905 Network Requirements ...............................905 Configuration Scheme ................................906 Using the GUI ....................................906 Using the CLI ....................................908 Appendix: Default Parameters ...........................909 Configuring DHCP Filter DHCP Filter ..................................912...
  • Page 25 Using the CLI ....................................927 Example for DHCPv6 Filter ................................928 Network Requirements ...............................928 Configuration Scheme ................................929 Using the GUI ....................................929 Using the CLI ....................................931 Appendix: Default Parameters ...........................932 Configuring DoS Defend Overview ....................................934 DoS Defend Configuration ............................935 Using the GUI ......................................935 Using the CLI ......................................936 Appendix: Default Parameters ...........................939 Monitoring the System...
  • Page 26 Using the GUI ......................................958 Using the CLI ......................................959 Appendix: Default Parameters ...........................961 Configuring sFlow (Only for Certain Devices) Overview ...................................963 sFlow Configuration ...............................964 Using the GUI ......................................964 Configuring the sFlow Agent ............................964 Configuring the sFlow Collector ............................965 Configuring the sFlow Sampler .............................965 Using the CLI ......................................967 Configuration Example ..............................970 Network Requirements ..................................970...
  • Page 27 Using the GUI ......................................998 Viewing OAMPDUs ................................998 Viewing Event Logs................................1000 Using the CLI .......................................1001 Viewing OAMPDUs ................................1001 Viewing Event Logs................................1003 Configuration Example .............................. 1005 Network Requirements ..................................1005 Configuration Scheme ..............................1005 Using the GUI ..................................1005 Using the CLI ..................................1009 Appendix: Default Parameters ..........................1013 Configuring DLDP Overview ..................................
  • Page 28 Notification Configurations ............................1039 Using the GUI ......................................1039 Configuring the Information of NMS Hosts ......................1039 Enabling SNMP Traps ...............................1041 Using the CLI .......................................1044 Configuring the NMS Host .............................1044 Enabling SNMP Traps ...............................1046 RMON ....................................1054 RMON Configurations ..............................1055 Using the GUI ......................................1055 Configuring the Statistics Group ..........................1055 Configuring History Group .............................1056 Configuring Event Group ..............................1057...
  • Page 29 Appendix: Default Parameters ..........................1090 Configuring System Logs Overview ..................................1092 System Logs Configurations ........................... 1093 Using the GUI ......................................1094 Configuring the Local Logs ............................1094 Configuring the Remote Logs............................1094 Backing up the Logs .................................1095 Viewing the Log Table ..............................1096 Using the CLI .......................................1097 Configuring the Local Logs ............................1097 Configuring the Remote Logs............................1098 Configuration Example ..............................

  • Page 30: About This Guide

    About This Guide Intended Readers About This Guide This User Guide provides information for managing T2600G Series Switches. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies.

  • Page 31: More Information

    ■ The Installation Guide (IG) can be found where you find this guide or inside the package of the switch. ■ Specifications can be found on the product page at https://www.tp-link.com. ■ To ask questions, find answers, and communicate with TP-Link users or engineers, please visit https://community.tp-link.com to join TP-Link Community.

  • Page 32: Accessing The Switch

    Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3. Command Line Interface Access...

  • Page 33: Overview

    Accessing the Switch Overview Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration.

  • Page 34: Web Interface Access

    Accessing the Switch Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available.

  • Page 35: Save The Configuration File

    Accessing the Switch Web Interface Access 5) The typical web interface displays below. You can view the switch’s running status and configure the switch on this interface. Figure 2-3 Web Interface 2.2 Save the Configuration File The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file.

  • Page 36: Disable The Web Server

    Accessing the Switch Web Interface Access Disable the Web Server You can shut down the HTTP server and HTTPS server to block any access to the web interface. Go to SECURITY > Access Security > HTTP Config , disable the HTTP server and click Apply . Figure 2-5 Shut Down HTTP Server Go to SECURITY >...

  • Page 37: Configure The Switch's Ip Address And Default Gateway

    Accessing the Switch Web Interface Access 2.4 Configure the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
  • Page 38 Accessing the Switch Web Interface Access 4) Click to save the settings. ■ Configure the Default Gateway The following example shows how to configure the switch’s gateway. By default, the switch has no default gateway. 1) Go to page L3 FEATURES > Static Routing > IPv4 Static Routing Config . Click load the following page and configure the parameters related to the switch’s gateway.

  • Page 39: Command Line Interface Access

    Accessing the Switch Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access.
  • Page 40 Accessing the Switch Command Line Interface Access indicates that you have successfully logged in to the switch and you can use the CLI now. Figure 3-1 CLI Main Window Note: The first time you log in, change the password to better protect your network and devices. 4) Enter enable to enter the User EXEC Mode to further configure the switch.

  • Page 41: Telnet Login

    Accessing the Switch Command Line Interface Access 3.2 Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network).

  • Page 42: Ssh Login

    Accessing the Switch Command Line Interface Access 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs: ■ Password Authentication Mode: Username and password are required, which are both admin by default.
  • Page 43 Accessing the Switch Command Line Interface Access Figure 3-8 Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9  Log In to the Switch Note: The first time you log in, change the password to better protect your network and devices.
  • Page 44 Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: • The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section.
  • Page 45 Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: • The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA.

  • Page 46: Disable Telnet Login

    Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15  Log In to the Switch Note: The first time you log in, change the password to better protect your network and devices.

  • Page 47: Disable Ssh Login

    Accessing the Switch Command Line Interface Access Figure 3-16 Disable Telnet login ■ Using the CLI: Switch#configure Switch(config)#telnet disable 3.5 Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface. ■ Using the GUI: Go to SECURITY >...

  • Page 48: Change The Switch's Ip Address And Default Gateway

    Accessing the Switch Command Line Interface Access If you need to keep the configurations after the switch reboots, please user the command copy running-config startup-config to save the configurations in the start-up configuration file. Switch(config)#end Switch#copy running-config startup-config 3.7 Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.

  • Page 49: Managing System

    Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. EEE Configuration 6. PoE Configurations (Only for Certain Devices) 7. SDM Template Configuration 8. Time Range Configuration 9. Example for PoE Configurations 10.

  • Page 50: System

    Managing System System System 1.1 Overview In System module, you can view the system information and configure the system parameters and features of the switch. 1.2 Supported Features System Info You can view the switch’s port status and system information, and configure the device description, system time, and daylight saving time.
  • Page 51 Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.

  • Page 52: System Info Configurations

    Managing System System Info Configurations System Info Configurations With system information configurations, you can: ■ View the System Summary ■ Configure the Device Description ■ Configure the System Time ■ Configure the Daylight Saving Time 2.1 Using the GUI 2.1.1 Viewing the System Summary Choose the menu SYSTEM >...
  • Page 53 Managing System System Info Configurations You can move your cursor to a port to view the detailed information of the port. Figure 2-2 Port Information Port Information Indication Port Displays the port number. Type Displays the type of the port. Speed Displays the maximum transmission rate and duplex mode of the port.
  • Page 54 Managing System System Info Configurations Displays the bandwidth utilization of sending packets on this port. Viewing the System Information In the System Info section, you can view the system information of the switch. Figure 2-4 System Information System Displays the system description of the switch. Description Device Name Displays the name of the switch.
  • Page 55 Managing System System Info Configurations Boot Loader Displays the boot loader version of the switch. Version MAC Address Displays the MAC address of the switch. System Time Displays the system time of the switch. Running Time Displays the running time of the switch. Serial Number Displays the serial number of the switch.

  • Page 56: Configuring The Device Description

    Managing System System Info Configurations 2.1.2 Configuring the Device Description Choose the menu SYSTEM > System Info > Device Description to load the following page. Figure 2-5 Configuring the Device Description 1) In the Device Description section, configure the following parameters. Device Name Specify a name for the switch.

  • Page 57: Configuring The Daylight Saving Time

    Managing System System Info Configurations Current System Displays the current date and time of the switch. Time Current Time Displays how the switch gets the current time. Source In the Time Config section, follow these steps to configure the system time: 1) Choose one method to set the system time and specify the related parameters.

  • Page 58: Using The Cli

    Managing System System Info Configurations 2) Choose one method to set the Daylight Saving Time and specify the related parameters. Predefined If you select Predefined Mode, choose a predefined DST schedule for the switch. Mode USA: Select the Daylight Saving Time of the USA. It is from 2: 00 a.m. on the Second Sunday in March to 2:00 a.m.

  • Page 59: Configuring The Device Description

    System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version - T2600G-28TS 3.0 Software Version - 3.0.0 Build 20170820 Rel.65183(s) Bootloader Version - TP-LINK BOOTUTIL(v1.0.0) Mac Address - 00-0A-EB-13-A2-3D Serial Number - 211100100001C System Time - 2006-01-03 10:10:37 Running Time - 2 day - 2 hour - 11 min - 30 sec 2.2.2 Configuring the Device Description...
  • Page 60 Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as https://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info https://www.tp-link.com...

  • Page 61: Configuring The System Time

    Managing System System Info Configurations 2.2.3 Configuring the System Time Follow these steps to configure the system time: Note: The mode of Synchronize with PC’s Clock does not support CLI command. Step 1 configure Enter global configuration mode. Step 2 Use the following command to set the system time manually: system-time manual time Configure the system time manually.
  • Page 62 Managing System System Info Configurations UTC+01:00 —— TimeZone for Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna. UTC+02:00 —— TimeZone for Cairo, Athens, Bucharest, Amman, Beirut, Jerusalem. UTC+03:00 —— TimeZone for Kuwait, Riyadh, Baghdad. UTC+03:30 —— TimeZone for Tehran. UTC+04:00 —— TimeZone for Moscow, St.Petersburg, Volgograd, Tbilisi, Port Louis. UTC+04:30 ——...

  • Page 63: Configuring The Daylight Saving Time

    Managing System System Info Configurations Switch(config)#show system-time ntp Time zone : UTC+08:00 Prefered NTP server: 133.100.9.2 Backup NTP server: 139.78.100.163 Last successful NTP server: 133.100.9.2 Update Rate: 11 hour(s) Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring the Daylight Saving Time Follow these steps to configure the Daylight Saving Time: Step 1 configure Enter global configuration mode.
  • Page 64 Managing System System Info Configurations Use the following command to set the Daylight Saving Time in recurring mode: system-time dst recurring { sweek } { sday } { smonth } { stime } { eweek } { eday } { emonth } { etime } [ offset ] Specify the Daylight Saving Time in Recuring mode.
  • Page 65 Managing System System Info Configurations The following example shows how to set the Daylight Saving Time by Date Mode. Set the start time as 01:00 August 1st, 2017, set the end time as 01:00 September 1st,2017 and set the offset as 50. Switch#configure Switch(config)#system-time dst date Aug 1 01:00 2017 Sep 1 01:00 2017 50 Switch(config)#show system-time dst...

  • Page 66: User Management Configurations

    Managing System User Management Configurations User Management Configurations With User Management, you can create and manage the user accounts for login to the switch. 3.1 Using the GUI There are four types of user accounts with different access levels: Admin, Operator, Power User and User.

  • Page 67: Configuring Enable Password

    Managing System User Management Configurations Figure 3-2 Adding Account Follow these steps to create a new user account. 1) Configure the following parameters: Username Specify a username for the account. It contains 16 characters at most, composed of digits, English letters and symbols. No spaces, question marks and double quotation marks are allowed.

  • Page 68: Using The Cli

    Managing System User Management Configurations 1) Select Set Password and specify the enable password in the Password field. It should be a string with 31 characters at most, which can contain only English letters (case- sensitive), digits and 17 kinds of special characters. The special characters are !$%’()*,- ./[]_{|}.
  • Page 69 Managing System User Management Configurations Step 2 Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege admin | operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } name : Enter a user name for users’...

  • Page 70: Configuring Enable Password

    Managing System User Management Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Configuring Enable Password Follow these steps to create an account of other type: Step 1 configure Enter global configuration mode.
  • Page 71 Managing System User Management Configurations Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. Tips: The logged-in users can enter the enable-admin command and the Enable Password to get the administrative privileges. The following example shows how to create a uesr with the access level of Operator, set the username as user1 and password as 123, and set the enable password as abc123.

  • Page 72: System Tools Configurations

    Managing System System Tools Configurations System Tools Configurations With System Tools, you can: ■ Configure the boot file ■ Restore the configuration of the switch ■ Back up the configuration file ■ Upgrade the firmware ■ Configure DHCP Auto Install ■...
  • Page 73 Managing System System Tools Configurations Follow these steps to configure the boot file: 1) In the Boot Table section, select one or more units and configure the relevant parameters. Unit Displays the number of the unit. Current Startup Displays the current startup image. Image Next Startup Select the next startup image.

  • Page 74: Restoring The Configuration Of The Switch

    Managing System System Tools Configurations 4.1.2 Restoring the Configuration of the Switch Choose the menu SYSTEM > System Tools > Restore Config to load the following page. Figure 4-2 Restoring the Configuration of the Switch Follow these steps to restore the current configuration of the switch: 1) In the Restore Config section, select the unit to be restored.

  • Page 75: Upgrading The Firmware

    Managing System System Tools Configurations 4.1.4 Upgrading the Firmware Choose the menu SYSTEM > System Tools > Firmware Upgrade to load the following page. Figure 4-4 Upgrading the Firmware You can view the current firmware information on this page: Firmware Version Displays the current firmware version of the system.
  • Page 76 Managing System System Tools Configurations configuration file name, image file path and TFTP server IP address from the DHCP server, and then downloads the new image and configuration file form the TFTP server. Choose the menu SYSTEM > System Tools > DHCP Auto Install to load the following page.

  • Page 77: Rebooting The Switch

    Managing System System Tools Configurations 4.1.6 Rebooting the switch There are two methods to reboot the switch: manually reboot the switch and configure reboot schedule to automatically reboot the switch. Manually Rebooting the Switch Choose the menu SYSTEM > System Tools > System Reboot > System Reboot to load the following page.

  • Page 78: Reseting The Switch

    Managing System System Tools Configurations Special Time Specify the date and time for the switch to reboot. Month/Day/Year: Specify the date for the switch to reboot. Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM. 2) Choose whether to save the current configuration before the reboot.
  • Page 79 Managing System System Tools Configurations Step 2 boot application filename { image1 | image2 } { startup | backup } Specify the configuration of the boot file. By default, image1.bin is the startup image and image2.bin is the backup image. image1 | image2: Select the image file to be configured.

  • Page 80: Restoring The Configuration Of The Switch

    Managing System System Tools Configurations Switch#copy running-config startup-config 4.2.2 Restoring the Configuration of the Switch Follow these steps to restore the configuration of the switch: Step 1 enable Enter privileged mode. Step 2 copy tftp startup-config ip-address ip-addr filename name Download the configuration file to the switch from TFTP server.

  • Page 81: Upgrading The Firmware

    Managing System System Tools Configurations Start to backup user config file... Backup user config file OK. 4.2.4 Upgrading the Firmware Follow these steps to upgrade the firmware: Step 1 enable Enter privileged mode. Step 2 firmware upgrade ip-address ip-addr filename name Upgrade the switch’s backup image via TFTP server.
  • Page 82 Managing System System Tools Configurations Step 3 boot autoinstall auto-save Enable the auto save mode and the switch will save the configuration file downloaded as startup configuration file automatically. Step 4 boot autoinstall auto-reboot Enable the auto reboot mode and the switch will reboot automatically after the auto install process is completed successfully.

  • Page 83: Rebooting The Switch

    Managing System System Tools Configurations Auto Insatll sate........Stopped 4.2.6 Rebooting the Switch Manually Rebooting the Switch Follow these steps to reboot the switch: Step 1 enable Enter privileged mode. Step 2 reboot Reboot the switch. Configuring Reboot Schedule Follow these steps to configure the reboot schedule: Step 1 configure Enter global configuration mode.

  • Page 84: Reseting The Switch

    Managing System System Tools Configurations The following example shows how to set the switch to reboot at 12:00 on 15/08/2017. Switch#configure Switch(config)#reboot-schedule at 12:00 15/08/2017 save_before_reboot Reboot system at 15/08/2017 12:00. Continue? (Y/N): Y Reboot Schedule Settings --------------------------- Reboot schedule at 2017-08-15 12:00 (in 25582 minutes) Save before reboot: Yes Switch(config)#end Switch#copy running-config startup-config...

  • Page 85: Eee Configuration

    Managing System EEE Configuration EEE Configuration Choose the menu SYSTEM > EEE to load the following page. Figure 5-1 Configuring EEE Follow these steps to configure EEE: 1) In the EEE Config section, select one or more ports to be configured. 2) Enable or disable EEE on the selected port(s).
  • Page 86 Managing System EEE Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the EEE feature on port 1/0/1. Switch#config Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#eee Switch(config-if)#show interface eee Port...

  • Page 87: Poe Configurations (Only For Certain Devices)

    Managing System PoE Configurations (Only for Certain Devices) PoE Configurations (Only for Certain Devices) Note: Only T2600G-28MPS supports PoE feature. With the PoE feature, you can: ■ Configure the PoE parameters manually ■ Configure the PoE parameters using the profile You can configure the PoE parameters one by one via configuring the PoE parameters manually.

  • Page 88: Using The Gui

    Managing System PoE Configurations (Only for Certain Devices) 6.1 Using the GUI 6.1.1 Configuring the PoE Parameters Manually Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-1 Configuring PoE Parameters Manually Follow these steps to configure the basic PoE parameters: 1) In the PoE Config section, you can view the current PoE parameters.
  • Page 89 Managing System PoE Configurations (Only for Certain Devices) Figure 6-2 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select the port you want to configure and specify the parameters.
  • Page 90 Managing System PoE Configurations (Only for Certain Devices) PoE Profile A quick configuration method for the corresponding ports. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. For how to create a profile, refer to Configuring the PoE Parameters Using the Profile.

  • Page 91: Configuring The Poe Parameters Using The Profile

    Managing System PoE Configurations (Only for Certain Devices) 6.1.2 Configuring the PoE Parameters Using the Profile ■ Creating a PoE Profile Choose the menu SYSTEM > PoE > PoE Profile and click to load the following page. Figure 6-3 Creating a PoE Profile Follow these steps to create a PoE profile: 1) In the Create PoE Profile section, specify the desired configurations of the profile.
  • Page 92 Managing System PoE Configurations (Only for Certain Devices) ■ Binding the Profile to the Corresponding Ports Choose the menu SYSTEM > PoE > PoE Config to load the following page. Figure 6-4 Binding the Profile to the Corresponding Ports Follow these steps to bind the profile to the corresponding ports: 1) In the PoE Config section, you can view the current PoE parameters.
  • Page 93 Managing System PoE Configurations (Only for Certain Devices) Figure 6-5 Configuring System Power Limit Unit Displays the unit number. System Power Specify the maximum power the PoE switch can supply. Limit 2) In the Port Config section, select one or more ports and configure the following two parameters: Time Range and PoE Profile.

  • Page 94: Using The Cli

    Managing System PoE Configurations (Only for Certain Devices) 6.2 Using the CLI 6.2.1 Configuring the PoE Parameters Manually Follow these steps to configure the basic PoE parameters: Step 1 configure Enter global configuration mode. Step 2 power inline consumption power-limit Specify the maximum power the PoE switch can supply globally.
  • Page 95 Managing System PoE Configurations (Only for Certain Devices) Step 9 show power inline configuration interface [ fastEthernet { port | port-list } | gigabitEthernet { port | port-list } | ten-gigabitEthernet { port | port-list }] Verify the PoE configuration of the corresponding port. port : Specify the Ethernet port number, for example 1/0/1.

  • Page 96: Configuring The Poe Parameters Using The Profile

    Managing System PoE Configurations (Only for Certain Devices) Interface Power(w) Current(mA) Voltage(v) PD-Class Power-Status ---------- -------- ----------- ---------- ----------- ---------------- Gi1/0/5 1.3 53.5 Class 2 Switch(config-if)#end Switch#copy running-config startup-config 6.2.2 Configuring the PoE Parameters Using the Profile Follow these steps to configure the PoE profile: Step 1 configure Enter global configuration mode.
  • Page 97 Managing System PoE Configurations (Only for Certain Devices) Step 5 power inline profile name Bind a PoE profile to the desired port. If one profile is selected, you will not be able to modify PoE status, PoE priority or power limit manually. name : Specify the name of the PoE profile.
  • Page 98 Managing System PoE Configurations (Only for Certain Devices) Switch(config-if)#power inline profile profile1 Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/6 Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- ---------- ------------ ------------- ---------------- Gi1/0/6 Enable Middle Class2 No Limit profile1 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 99: Sdm Template Configuration

    Managing System SDM Template Configuration SDM Template Configuration 7.1 Using the GUI Choose the menu SYSTEM > SDM Template to load the following page. Figure 7-1 Configuring SDM Template (For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS) Figure 7-2 Configuring SDM Template (For T2600G-18TS) In SDM Template Config section, select one template and click Apply. The setting will be effective after the switch is rebooted.

  • Page 100: Using The Cli

    Managing System SDM Template Configuration Next Template Displays the template that will be effective after the reboot. Select Next Select the template that will be effective after the next reboot. Template Default: Select the template of default. It gives balance to the IP ACL rules and MAC ACL rules.
  • Page 101 Managing System SDM Template Configuration Step 2 show sdm prefer { used | default | enterpriseV4 | enterpriseV6 } View the template table. It will help you determine which template is suitable for your network. used: Displays the resource allocation of the current template. default: Displays the resource allocation of the default template.

  • Page 102: Time Range Configuration

    Managing System Time Range Configuration Time Range Configuration To complete Time Range configuration, follow these steps: 1) Add time range entries. 2) Configure Holiday time range. 8.1 Using the GUI 8.1.1 Adding Time Range Entries Choose the menu SYSTEM > Time Range > Time Range Config and click to load the following page.
  • Page 103 Managing System Time Range Configuration Figure 8-2 Adding Period Time Configure the following parameters and click Create: Date Specify the start date and end date of this time range. Time Specify the start time and end time of a day. Day of Week Select days of a week as the period of this time range.

  • Page 104: Configuring Holiday

    Managing System Time Range Configuration Figure 8-3 View Configruation Result 8.1.2 Configuring Holiday Choose the menu SYSTEM > Time Range > Holiday Config and click to load the following page. Figure 8-1 Configuring Holiday Configure the following parameters and click Create to add a Holiday entry. Holiday Name Specify a name for the entry.

  • Page 105: Using The Cli

    Managing System Time Range Configuration 8.2 Using the CLI 8.2.1 Adding Time Range Entries Follow these steps to add time range entries: Step 1 configure Enter global configuration mode. Step 2 time-range name Create a time-range entry. name : Specify a name for the entry. Step 3 holiday { exclude | include } Include or exclude the holiday in the time range.

  • Page 106: Configuring Holiday

    Managing System Time Range Configuration The following example shows how to create a time range entry and set the name as time1, holiday mode as exclude, absolute time as 10/01/2017 to 10/31/2017 and periodic time as 8:00 to 20:00 on every Monday and Tuesday: Switch#config Switch(config)#time-range time1 Switch(config-time-range)#holiday exclude...
  • Page 107 Managing System Time Range Configuration Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07/01 and 09/01: Switch#config Switch(config)#holiday holiday1 start-date 07/01 end-date 09/01 Switch(config)#show holiday...

  • Page 108: Example For Poe Configurations

    Managing System Example for PoE Configurations Example for PoE Configurations 9.1 Network Requirements The network topology of a company is shown as below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide the internet service and only work in the office time.
  • Page 109 Managing System Example for PoE Configurations Figure 9-2 Creating Time Range 2) Click and the following window will pop up. Set Date, Time and Day of Week as the following figure shows. Click Create. Figure 9-3  Creating a Periodic Time 3) Specify a name for the time range. Click Create. User Guide...
  • Page 110 Managing System Example for PoE Configurations Figure 9-4 Configuring Time Range 4) Choose the menu SYSTEM > PoE > PoE Config to load the following page. Select port 1/0/3 and set the Time Range as OfficeTime. Click Apply. Figure 9-5  Configure the Port 5) Click to save the settings.

  • Page 111: Using The Cli

    Managing System Example for PoE Configurations 9.4 Using the CLI The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example. 1) Create a time-range. Switch_A#config Switch_A(config)#time-range office-time Switch_A(config-time-range)#holiday exclude Switch_A(config-time-range)#absolute from 01/01/2017 to 01/01/2018 Switch_A(config-time-range)#periodic start 08:30 end 18:00 day-of-the-week 1-5 Switch_A(config-time-range)#exit 2) Enable the PoE function on the port 1/0/3.
  • Page 112 Managing System Example for PoE Configurations Interface PoE-Status PoE-Prio Power-Limit(w) Time-Range PoE-Profile ---------- ---------- -------- -------------- ------------- ---------------- Gi1/0/3 Enable Class4 office-time None User Guide...

  • Page 113: Appendix: Default Parameters

    Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.com Table 10-2 Default Settings of System Time Configuration Parameter Default Setting Time Source Manual Table 10-3 Default Settings of Daylight Saving Time Configuration...
  • Page 114 Managing System Appendix: Default Parameters Parameter Default Setting Backup Config config2.cfg Default setting of EEE is listed in the following table. Table 10-6 Default Settings of EEE Configuration Parameter Default Setting Status Disabled (For T2600G-28MPS) Default settings of PoE is listed in the following table. Table 10-7 Default Settings of PoE Configuration Parameter...
  • Page 115 Managing System Appendix: Default Parameters Default settings of Time Range are listed in the following table. Table 10-9 Default Settings of Time Range Configuration Parameter Default Setting Holiday Include User Guide...

  • Page 116: Managing Physical Interfaces

    Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Isolation Configurations 4. Loopback Detection Configuration 5. Configuration Examples 6. Appendix: Default Parameters...

  • Page 117: Physical Interface

    Managing Physical Interfaces Physical Interface Physical Interface 1.1 Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and layer 3 interfaces. ■ Physical interfaces are the ports on the switch panel. They forward packets based on MAC address table.

  • Page 118: Basic Parameters Configurations

    Managing Physical Interfaces Basic Parameters Configurations Basic Parameters Configurations 2.1 Using the GUI Choose the menu L2 FEATURES > Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to configure basic parameters for the ports: 1) Configure the MTU size of jumbo frames for all the ports, then click Apply.

  • Page 119: Using The Cli

    Managing Physical Interfaces Basic Parameters Configurations Description (Optional) Enter a description for the port. Status With this option enabled, the port forwards packets normally. Otherwise, the port cannot work. By default, it is enabled. Speed Select the appropriate speed mode for the port. When Auto is selected, the port automatically negotiates speed mode with the neighbor device.
  • Page 120 Managing Physical Interfaces Basic Parameters Configurations Step 4 Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets.
  • Page 121 Managing Physical Interfaces Basic Parameters Configurations Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex FlowCtrl Description -------- ----- -------- ------ -------- ----------- Gi1/0/1 Enable Auto Auto Enable router connection Switch(config-if)#show jumbo-size Global jumbo size : 9216 Switch(config-if)#end Switch#copy running-config startup-config...

  • Page 122: Port Isolation Configurations

    Managing Physical Interfaces Port Isolation Configurations Port Isolation Configurations 3.1 Using the GUI Port Isolation is used to limit the data transmitted by a port. The isolated port can only send packets to the ports specified in its forwarding Port list. Choose the menu L2 FEATURES >...

  • Page 123: Using The Cli

    Managing Physical Interfaces Port Isolation Configurations Figure 3-2 Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forwarding Port List section, select the forwarding ports or LAGs which the isolated ports can only communicate with.
  • Page 124 Managing Physical Interfaces Port Isolation Configurations Step 3 port isolation { [fa-forward-list fa-forward-list ] [gi-forward-list gi-forward-list ] [te- forward-list te-forward-list ] [ po-forward-list po-forward-list ] } Add ports or LAGs to the forwarding port list of the isolated port. It is multi-optional. fa-forward-list / gi-forward-list / te-forward-list : Specify the forwarding Ethernet ports.

  • Page 125: Loopback Detection Configuration

    Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Configuration 4.1 Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the following page.
  • Page 126 Managing Physical Interfaces Loopback Detection Configuration Loopback Enable loopback detection globally. Detection Status Detection Set the interval of sending loopback detection packets in seconds. Interval The valid value ranges from 1 to 1000 and the default value is 30. Auto-recovery Set the recovery time globally.

  • Page 127: Using The Cli

    Managing Physical Interfaces Loopback Detection Configuration 4.2 Using the CLI Follow these steps to configure loopback detection: Step 1 configure Enter global configuration mode. Step 2 loopback-detection Enable the loopback detection feature globally. By default, it is disabled. Step 3 loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network.
  • Page 128 Managing Physical Interfaces Loopback Detection Configuration Step 10 show loopback-detection interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel } Verify the Loopback Detection configuration of the specified port. Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup-config Save the settings in the configuration file.

  • Page 129: Configuration Examples

    Managing Physical Interfaces Configuration Examples Configuration Examples 5.1 Example for Port Isolation 5.1.1 Network Requirements As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. Without changing the VLAN configuration, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed.
  • Page 130 Managing Physical Interfaces Configuration Examples Figure 5-2 Port Isolation List 2) Click Edit on the above page to load the following page. Select port 1/0/1 as the port to be isolated, and select port 1/0/4 as the forwarding port. Click Apply. Figure 5-3 Port Isolation Configuration 3) Select port 1/0/4 as the port to be isolated, and select port 1/0/1 as the forwarding port.

  • Page 131: Using The Cli

    Managing Physical Interfaces Configuration Examples Figure 5-4 Port Isolation Configuration 4) Click to save the settings. 5.1.4 Using the CLI Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#port isolation gi-forward-list 1/0/1 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port Forward-List...

  • Page 132: Example For Loopback Detection

    Managing Physical Interfaces Configuration Examples Gi1/0/2 Gi1/0/1-28,Po1-14 Gi1/0/3 Gi1/0/1-28,Po1-14 Gi1/0/4 Gi1/0/1 5.2 Example for Loopback Detection 5.2.1 Network Requirements As shown below, Switch A is a convergence-layer switch connecting to several access- layer switches. Loops can be easily caused in case of misoperation on the access- layer switches.

  • Page 133: Using The Gui

    Managing Physical Interfaces Configuration Examples 5.2.3 Using the GUI 1) Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the configuration page. 2) In the Loopback Detection section, enable loopback detection and web refresh globally. Keep the other parameters as default values and click Apply. Figure 5-6 Global Configuration 3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port -Based so that the port will be blocked when a loop is detected, and keep the recovery...

  • Page 134: Using The Cli

    Managing Physical Interfaces Configuration Examples 5.2.4 Using the CLI 1) Enable loopback detection globally and configure the detection interval and recovery time. Switch#configure Switch(config)#loopback-detection Switch(config)#loopback-detection interval 30 Switch(config)#loopback-detection recovery-time 3 2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode.

  • Page 135: Appendix: Default Parameters

    Managing Physical Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 6-1 Configurations for Ports Parameter Default Setting Port Config Jumbo 1518 bytes Copper (For RJ45 Ports) Type Fiber (For SFP Ports) Status Enabled Auto (For RJ45 Ports)

  • Page 136: Configuring Lag

    Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Examples 4. Appendix: Default Parameters...

  • Page 137: Lag

    Configuring LAG 1.1 Overview With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface, increasing link bandwidth and providing backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).

  • Page 138: Lag Configuration

    Configuring LAG LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines ■ Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should also be set as LACP mode.

  • Page 139: Using The Gui

    Configuring LAG LAG Configuration 2.1 Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm (Hash Algorithm), then click Apply.

  • Page 140: Configuring Static Lag Or Lacp

    Configuring LAG LAG Configuration as “SRC MAC” to allow Switch A to determine the forwarding port based on the source MAC addresses of the received packets. Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP.
  • Page 141 Configuring LAG LAG Configuration Note: Clearing all member ports will delete the LAG. ■ Configuring LACP Choose the menu L2 FEATURES > Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply.

  • Page 142: Using The Cli

    Configuring LAG LAG Configuration Group ID Specify the group ID of the LAG. Note that the group ID of other static LAGs cannot be set as this value. The valid value of the Group ID is determined by the maximum number of LAGs supported by your switch.

  • Page 143: Configuring Static Lag Or Lacp

    Configuring LAG LAG Configuration Step 2 port-channel load-balance { src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip } Select the Hash Algorithm. The switch will choose the ports to transfer the packets based on the Hash Algorithm. In this way, different data flows are forwarded on different physical links to implement load balancing.
  • Page 144 Configuring LAG LAG Configuration ■ Configuring Static LAG Follow these steps to configure static LAG: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Enter interface configuration mode.
  • Page 145 Configuring LAG LAG Configuration ■ Configuring LACP Follow these steps to configure LACP: Step 1 configure Enter global configuration mode. Step 2 lacp system-priority pri Specify the system priority for the switch. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device.
  • Page 146 Configuring LAG LAG Configuration Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to specify the system priority of the switch as 2: Switch#configure Switch(config)#lacp system-priority 2 Switch(config)#show lacp sys-id 2, 000a.eb13.2397 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP,...

  • Page 147: Configuration Examples

    Configuring LAG Configuration Examples Configuration Examples 3.1 Example for Static LAG 3.1.1 Network Requirements As shown below, hosts and servers are connected to switch A and switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.

  • Page 148: Using The Cli

    Configuring LAG Configuration Examples Figure 3-2 Global Configuration 2) Choose the menu L2 FEATURES > Switching > LAG > Static LAG to load the following page. Select LAG 1 and add ports 1/0/1-8 to LAG 1. Figure 3-3 System Priority Configuration 3) Click to save the settings.

  • Page 149: Example For Lacp

    Configuring LAG Configuration Examples R - layer3 S - layer2 f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Group Port-channel Protocol Ports ----- --------- ------- ------------------------------- Po2(S) Gi1/0/1(D) Gi1/0/2(D) Gi1/0/3(D) Gi1/0/4(D) Gi1/0/5(D) Gi1/0/6(D) Gi1/0/7(D) Gi1/0/8(D) 3.2 Example for LACP...

  • Page 150: Using The Gui

    Configuring LAG Configuration Examples 3.2.3 Using the GUI The configurations of switch A and switch B are similar. The following introductions take switch A as an example. 1) Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page.

  • Page 151: Using The Cli

    Configuring LAG Configuration Examples 3.2.4 Using the CLI The configurations of switch A and switch B are similar. The following introductions take switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.
  • Page 152 Configuring LAG Configuration Examples 0, 000a.eb13.2397 Verify the LACP configuration: Switch#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State...

  • Page 153: Appendix: Default Parameters

    Configuring LAG Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables. Table 4-1 Default Settings of LAG Parameter Default Setting LAG Table Hash Algorithm SRC MAC+DST MAC LACP Config System Priority 32768 Admin Key Port Priority 32768 Mode...

  • Page 154: Configuring Ddm (Only For Certain Devices)

    Part 5 Configuring DDM (Only for Certain Devices) CHAPTERS 1. Overview 2. DDM Configuration 3. Appendix: Default Parameters...

  • Page 155: Overview

    Configuring DDM (Only for Certain Devices) Overview Overview Note: Only T2600G-18TS, T2600G-28TS, T2600G-28MPS and T2600G-28SQ support DDM function. The DDM (Digital Diagnostic Monitoring) function is used to monitor the status of the SFP modules inserted into the SFP ports on the switch. The user can choose to shut down the monitored SFP port automatically when the specified parameter exceeds the alarm threshold or warning threshold.

  • Page 156: Ddm Configuration

    Configuring DDM (Only for Certain Devices) DDM Configuration DDM Configuration To complete DDM configuration, follow these steps: 1) Enable DDM on the SFP port and configure the shutdown condition. 2) Configure the specified value for warning or alarm threshold. 2.1 Using the GUI 2.1.1 Configuring DDM Globally Choose the menu L2 FEATURES >...

  • Page 157: Configuring The Threshold

    Configuring DDM (Only for Certain Devices) DDM Configuration 2.1.2 Configuring the Threshold Note: The value of threshold parameters should conform to the following rule: High Alarm ≥ High Warning ≥ Low Warning ≥ Low Alarm. Choose the menu L2 FEATURES > Switching > DDM > Threshold Config to load the following page.
  • Page 158 Configuring DDM (Only for Certain Devices) DDM Configuration ■ Configuring the Voltage Threshold Figure 2-3 Configure Voltage Threshold Follow these steps to configure DDM‘s voltage threshold: 1) In the Voltage table, select one or more SFP ports to configure voltage threshold on the SFP ports.
  • Page 159 Configuring DDM (Only for Certain Devices) DDM Configuration ■ Configuring the Bias Current Threshold Figure 2-4 Configure Bias Current Threshold Follow these steps to configure DDM‘s bias current threshold: 1) In the Bias Current table, select one or more SFP ports to configure bias current threshold on the SFP ports.
  • Page 160 Configuring DDM (Only for Certain Devices) DDM Configuration ■ Configuring the Rx Power Threshold Figure 2-5 Configure Rx Power Threshold Follow these steps to configure DDM‘s Rx power threshold: 1) In the RX Power table, select one or more SFP ports to configure Rx power threshold on the SFP ports.
  • Page 161 Configuring DDM (Only for Certain Devices) DDM Configuration ■ Configuring the Tx Power Threshold Figure 2-6 Configure Tx Power Threshold Follow these steps to configure DDM‘s Tx power threshold: 1) In the TX Power table, select one or more SFP ports to configure Tx power threshold on the SFP ports.

  • Page 162: Viewing Ddm Status

    Configuring DDM (Only for Certain Devices) DDM Configuration 2.1.3 Viewing DDM Status Choose the menu L2 FEATURES > Switching > DDM > DDM Status to load the following page. Figure 2-7 View DDM Status In the Port Config table, view the current operating parameters for the SFP modules inserted into the SFP ports.

  • Page 163: Configuring Ddm Shutdown

    Configuring DDM (Only for Certain Devices) DDM Configuration Step 3 ddm state enable Enable DDM on this SFP port. Step 4 show ddm configuration state Display the DDM state of the SFP ports. Step 5 Return to Privileged EXEC Mode. Step 6 copy running-config startup-config Save the settings in the configuration file.

  • Page 164: Configuring The Threshold

    Configuring DDM (Only for Certain Devices) DDM Configuration Step 4 show ddm configuration state Display the DDM state of the SFP ports. Step 5 Return to Privileged EXEC Mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set SFP port 1/0/25 to shut down when the warning threshold is exceeded.
  • Page 165 Configuring DDM (Only for Certain Devices) DDM Configuration Step 3 ddm temperature_threshold { high_alarm | high_warning | low_alarm | low_warning } value high_alarm: Specify the high threshold for the alarm. When the operating parameter rises above this value, action associated with the alarm will be taken. high_warning: Specify the high threshold for the warning.
  • Page 166 Configuring DDM (Only for Certain Devices) DDM Configuration ■ Configuring Voltage Threshold Follow these steps to configure the threshold of the DDM voltage on the specified SFP port. Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
  • Page 167 Configuring DDM (Only for Certain Devices) DDM Configuration Switch(config-if)#end Switch#copy running-config startup-config ■ Configuring Bias Current Threshold Follow these steps to configure the threshold of the DDM bias current on the specified SFP port. Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }...
  • Page 168 Configuring DDM (Only for Certain Devices) DDM Configuration Gi1/0/27 120.000000 -- Switch(config-if)#end Switch#copy running-config startup-config ■ Configuring Rx Power Threshold Follow these steps to configure the threshold of the DDM Rx power on the specified SFP port. Step 1 configure Enter global configuration mode.
  • Page 169 Configuring DDM (Only for Certain Devices) DDM Configuration Rx Power Threshold(mW) : High Alarm Low Alarm High Warning Low Warning Gi1/0/27 6.000000 Switch(config-if)#end Switch#copy running-config startup-config ■ Configuring Tx Power Threshold Follow these steps to configure the threshold of the DDM Tx power on the specified SFP port.

  • Page 170: Viewing Ddm Configuration

    Configuring DDM (Only for Certain Devices) DDM Configuration Switch(config)#interface gigabitEthernet 1/0/27 Switch(config-if)#ddm tx_power_threshold high_alarm 6 Switch(config-if)#show ddm configuration tx_power Tx Power Threshold(mW) : High Alarm Low Alarm High Warning Low Warning Gi1/0/27 6.000000 Switch(config-if)#end Switch#copy running-config startup-config 2.2.4 Viewing DDM Configuration Follow these steps to view the DDM configuration.

  • Page 171: Viewing Ddm Status

    Configuring DDM (Only for Certain Devices) DDM Configuration Gi1/0/28 Switch(config)#end 2.2.5 Viewing DDM Status Follow these steps to view the DDM status, which is the digital diagnostic monitoring status of SFP modules inserted into the switch’s SFP ports. Step 1 configure Enter global configuration mode.

  • Page 172: Appendix: Default Parameters

    Configuring DDM (Only for Certain Devices) Appendix: Default Parameters Appendix: Default Parameters Default settings of DDM are listed in the following table. Table 3-1 Default Settings of DDM Parameter Default Setting DDM Status Enabled. All the SFP ports are being monitored. None.

  • Page 173: Managing Mac Address Table

    Part 6 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. Address Configurations 3. Security Configurations 4. Example for Security Configurations 5. Appendix: Default Parameters...

  • Page 174: Mac Address Table

    Managing MAC Address Table MAC Address Table MAC Address Table 1.1 Overview The MAC address table contains address information that the switch uses to forward packets. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports.
  • Page 175 Managing MAC Address Table MAC Address Table ■ Filtering address Filtering addresses are manually added and determine the packets with specific source or destination MAC addresses that will should dropped by the switch. Security Configurations ■ Configuring MAC Notification Traps You can configure traps and SNMP (Simple Network Management Protocol) to monitor and receive notifications of the usage of the MAC address table and the MAC address change activity.

  • Page 176: Address Configurations

    Managing MAC Address Table Address Configurations Address Configurations With MAC address table, you can: ■ Add static MAC address entries ■ Change the address aging time ■ Add filtering address entries ■ View address table entries 2.1 Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
  • Page 177 Managing MAC Address Table Address Configurations Follow these steps to add a static MAC address entry: 1) Enter the MAC address, VLAN ID and select a port to bind them together as an address entry. MAC Address Enter the static MAC address to be added to the static MAC address entry. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received.

  • Page 178: Modifying The Aging Time Of Dynamic Address Entries

    Managing MAC Address Table Address Configurations Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa. • Multicast or broadcast addresses cannot be set as static addresses. •...

  • Page 179: Adding Mac Filtering Address Entries

    Managing MAC Address Table Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu L2 FEATURES > Switching > MAC Address > Filtering Address and click to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) Enter the MAC Address and VLAN ID.

  • Page 180: Using The Cli

    Managing MAC Address Table Address Configurations Choose the menu L2 FEATURES > Switching > MAC Address > Address Table and click to load the following page. Figure 2-5 Viewing Address Table Entries 2.2 Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure...

  • Page 181: Modifying The Aging Time Of Dynamic Address Entries

    Managing MAC Address Table Address Configurations Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. Note: • In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa.

  • Page 182: Adding Mac Filtering Address Entries

    Managing MAC Address Table Address Configurations Step 2 mac address-table aging-time aging-time Set your desired length of address aging time for dynamic address entries. aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
  • Page 183 Managing MAC Address Table Address Configurations Note: • In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa. • Multicast or broadcast addresses cannot be set as filtering addresses . The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10.

  • Page 184: Security Configurations

    Managing MAC Address Table Security Configurations Security Configurations With security configurations of the MAC address table, you can: ■ Configure MAC notification traps ■ Limit the number of MAC addresses in VLANs 3.1 Using the GUI 3.1.1 Configuring MAC Notification Traps Choose the menu L2 FEATURES >...

  • Page 185: Limiting The Number Of Mac Addresses Learned In Vlans

    Managing MAC Address Table Security Configurations Follow these steps to configure MAC notification traps: 1) In the MAC Notification Global Config section, enable this feature, configure the relevant options, and click Apply. Global Status Enable MAC notification feature globally. Table Full Enable Table Full Notification, and when address table is full, a notification will be Notification generated and sent to the management host.
  • Page 186 Managing MAC Address Table Security Configurations Forward Packets of new source MAC addresses will be forwarded but the addresses will not be learned when the maximum number of MAC addresses is exceeded. 2) In the MAC VLAN Security Table section, click Add to load the following page. Enter the VLAN ID and the Max Learned Number to limit the number of MAC addresses that can be learned in the specified VLAN.

  • Page 187: Using The Cli

    Managing MAC Address Table Security Configurations VLAN ID Specify an existing VLAN in which you want to limit the number of MAC addresses. 2) Enter your desired value in Max Learned Number to set a threshold. Max Learned Set the maximum number of MAC addresses in the specific VLAN. It ranges from Number 0 to 16383.
  • Page 188 Managing MAC Address Table Security Configurations Step 5 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list } Configure notification traps on the specified port. port/ port-list: The number or the list of the Ethernet port that you want to configure notification traps.

  • Page 189: Limiting The Number Of Mac Addresses In Vlans

    Managing MAC Address Table Security Configurations Gi1/0/1 disable enable Switch(config-if)#end Switch#copy running-config startup-config 3.2.2 Limiting the Number of MAC Addresses in VLANs ■ For T2600G-18TS Follow these steps to limit the number of MAC addresses in VLANs: Step 1 configure Enter global configuration mode.
  • Page 190 Managing MAC Address Table Security Configurations Drop Switch(config)#end Switch#copy running-config startup-config ■ For T2600G-28TS/T2600G-52TS/T2600G-28MPS/T2600G-28SQ Follow these steps to limit the number of MAC addresses in VLANs: Step 1 configure Enter global configuration mode. Step 2 mac address-table security vid vid max-learn num {drop | forward} Configure the maximum number of MAC addresses in the specified VLAN and select a mode for the switch to adopt when the maximum number is exceeded.

  • Page 191: Example For Security Configurations

    Managing MAC Address Table Example for Security Configurations Example for Security Configurations 4.1 Network Requirements Several departments are connected to the company network as shown in Figure 4-1. Now the Marketing Department that is in VLAN 10 has network requirements as follows: ■...

  • Page 192: Using The Gui

    Managing MAC Address Table Example for Security Configurations 4.3 Using the GUI 1) Choose the menu L2 FEATURES > Switching > MAC Address > MAC VLAN Security and click Add to load the following page. Set the maximum number of MAC address in VLAN 10 as 100, choose drop mode and click Create.

  • Page 193: Using The Cli

    Managing MAC Address Table Example for Security Configurations 4.4 Using the CLI 1) Set the maximum number of MAC address in VLAN 10 as 100, and choose drop mode. Switch#configure Switch(config)#mac address-table security vid 10 max-learn 100 drop 2) Configure the new-MAC-learned trap on port 1/0/2 and set notification interval as 10 seconds.

  • Page 194: Appendix: Default Parameters

    Managing MAC Address Table Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables. Table 5-1 Entries in the MAC Address Table Parameter Default Setting Static Address Entries None Dynamic Address Entries Auto-learning Filtering Address Entries None...

  • Page 195: Configuring 802.1Q Vlan

    Part 7 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 196: Overview

    Configuring 802.1Q VLAN Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions: ■ To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN.

  • Page 197: Q Vlan Configuration

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure the VLAN, including creating a VLAN and adding the desired ports to the VLAN. 2) Configure port parameters for 802.1Q VLAN. User Guide...

  • Page 198: Using The Gui

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration 2.1 Using the GUI 2.1.1 Configuring the VLAN Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Figure 2-1 Configuring VLAN Follow these steps to configure VLAN: 1) Enter a VLAN ID and a description for identification to create a VLAN.

  • Page 199: Configuring The Port Parameters For 802.1Q Vlan

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Untagged port The selected ports will forward untagged packets in the target VLAN. Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. 2.1.2 Configuring the Port Parameters for 802.1Q VLAN Choose the menu L2 FEATURES >...

  • Page 200: Using The Cli

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Displays the LAG (Link Aggregation Group) which the port belongs to. Details Click the Details button to view the VLANs to which the port belongs. 2.2 Using the CLI 2.2.1 Creating a VLAN Follow these steps to create a VLAN: Step 1 configure Enter global configuration mode.

  • Page 201: Adding The Port To The Specified Vlan

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration VLAN Name Status Ports ------- -------- --------- --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.2 Adding the Port to the Specified VLAN Follow these steps to add the port to the specified VLAN: Step 1 configure Enter global configuration mode.

  • Page 202: Configuring The Port

    Configuring 802.1Q VLAN 802.1Q VLAN Configuration Acceptable frame type: All Ingress Checking: Enable Member in LAG: N/A Link Type: General Member in VLAN: Vlan Name Egress-rule ---- ----------- ----------- System-VLAN Untagged Tagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring the Port Follow these steps to configure the port: Step 1 configure...
  • Page 203 Configuring 802.1Q VLAN 802.1Q VLAN Configuration The following example shows how to configure the PVID of port 1/0/5 as 2, enable the ingress checking and set the acceptable frame type as all: Switch#configure Switch(config)#interface gigabitEthernet 1/0/5 Switch(config-if)#switchport pvid 2 Switch(config-if)#switchport check ingress Switch(config-if)#switchport acceptable frame all Switch(config-if)#show interface switchport gigabitEthernet 1/0/5 Port Gi1/0/5:...

  • Page 204: Configuration Example

    Configuring 802.1Q VLAN Configuration Example Configuration Example 3.1 Network Requirements ■ Offices of Department A and Department B in the company are located in different places, and some computers in different offices connect to the same switch. ■ It is required that computers can communicate with each other in the same department but not with computers in the other department.

  • Page 205: Network Topology

    Configuring 802.1Q VLAN Configuration Example 3.3 Network Topology The figure below shows the network topology. Host A1 and Host A2 are in Department A, while Host B1 and Host B2 are in Department B. Switch 1 and Switch 2 are located in two different places.
  • Page 206 Configuring 802.1Q VLAN Configuration Example Figure 3-2 Creating VLAN 10 for Department A 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 with the description of Department_B.
  • Page 207 Configuring 802.1Q VLAN Configuration Example Figure 3-3 Creating VLAN 20 for Department B 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 as 10 and click Apply. Set the PVID of port 1/0/3 as 20 and click Apply.

  • Page 208: Using The Cli

    Configuring 802.1Q VLAN Configuration Example Figure 3-4 Specifying the PVID for the ports 4) Click to save the settings. 3.5 Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A.
  • Page 209 Configuring 802.1Q VLAN Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 20 untagged Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/4 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#switchport general allowed vlan 20 tagged Switch_1(config-if)#exit 3) Set the PVID of port 1/0/2 as 10, and set the PVID of port 1/0/3 as 20. Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport pvid 10 Switch_1(config-if)#exit...
  • Page 210 Configuring 802.1Q VLAN Configuration Example Primary Secondary Type Ports ------- --------- ---------- --------------------- Verify the VLAN configuration: Switch_1(config)#show interface switchport Port Type PVID Acceptable frame type Ingress Checking ------- ---- ---- --------------------- ---------------- Gi1/0/1 General Enable Gi1/0/2 General Enable Gi1/0/3 General Enable Gi1/0/4...

  • Page 211: Appendix: Default Parameters

    Configuring 802.1Q VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.1Q VLAN Parameter Default Setting VLAN ID PVID Ingress Checking Enabled Acceptable Frame Types Admit All User Guide...

  • Page 212: Configuring Mac Vlan

    Part 8 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 213: Overview

    Configuring MAC VLAN Overview Overview VLAN is generally divided by ports. It is a common way of division but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.

  • Page 214: Mac Vlan Configuration

    Configuring MAC VLAN MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.

  • Page 215: Enabling Mac Vlan For The Port

    Configuring MAC VLAN MAC VLAN Configuration Follow these steps to bind the MAC address to the 802.1Q VLAN: 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN. MAC Address Enter the MAC address of the device in the format of 00-00-00-00-00-01.

  • Page 216: Using The Cli

    Configuring MAC VLAN MAC VLAN Configuration 2.2 Using the CLI 2.2.1 Configuring 802.1Q VLAN Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN. 2.2.2 Binding the MAC Address to the VLAN Follow these steps to bind the MAC address to the VLAN: Step 1 configure...

  • Page 217: Enabling Mac Vlan For The Port

    Configuring MAC VLAN MAC VLAN Configuration Switch#copy running-config startup-config 2.2.3 Enabling MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.

  • Page 218: Configuration Example

    Configuring MAC VLAN Configuration Example Configuration Example 3.1 Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B.

  • Page 219: Using The Gui

    Configuring MAC VLAN Configuration Example egress rule as Untagged; for the ports connecting to other switches, set the egress rule as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
  • Page 220 Configuring MAC VLAN Configuration Example Figure 3-2 Creating VLAN 10 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 20. Click Create. User Guide...
  • Page 221 Configuring MAC VLAN Configuration Example Figure 3-3 Creating VLAN 20 3) Choose the menu L2 FEATURES > VLAN > MAC VLAN and click to load the following page. Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN Figure 3-4 Creating MAC VLAN 4) Choose the menu L2 FEATURES >...
  • Page 222 Configuring MAC VLAN Configuration Example Figure 3-5 Enabing MAC VLAN for the Port 5) Click to save the settings. ■ Configurations for Switch 3 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/4 and tagged ports 1/0/2-3 to VLAN 10.
  • Page 223 Configuring MAC VLAN Configuration Example Figure 3-6 Creating VLAN 10 2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create. User Guide...

  • Page 224: Using The Cli

    Configuring MAC VLAN Configuration Example Figure 3-7 Creating VLAN 20 3) Click to save the settings. 3.4 Using the CLI ■ Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.
  • Page 225 Configuring MAC VLAN Configuration Example Switch_1(config)#vlan 20 Switch_1(config-vlan)#name deptB Switch_1(config-vlan)#exit 2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1. Switch_1(config)#interface gigabitEthernet 1/0/2 Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10,20 untagged...
  • Page 226 Configuring MAC VLAN Configuration Example Switch_3(config)#interface gigabitEthernet 1/0/3 Switch_3(config-if)#switchport general allowed vlan 10,20 tagged Switch_3(config-if)#exit 3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20. Switch_3(config)#interface gigabitEthernet 1/0/4 Switch_3(config-if)#switchport general allowed vlan 10 untagged Switch_3(config-if)#exit Switch_3(config)#interface gigabitEthernet 1/0/5 Switch_3(config-if)#switchport general allowed vlan 20 untagged Switch_3(config-if)#end...
  • Page 227 Configuring MAC VLAN Configuration Example ■ Switch 3 Switch_3#show vlan VLAN Name Status Ports -------- --------------- ------------- ------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8 DeptA active Gi1/0/2, Gi1/0/3, Gi1/0/4 DeptB active Gi1/0/2, Gi1/0/3, Gi1/0/5 User Guide...

  • Page 228: Appendix: Default Parameters

    Configuring MAC VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table. Table 4-1 Default Settings of MAC VLAN Parameter Default Setting MAC Address None Description None VLAN ID None Port Enable Disabled User Guide...

  • Page 229: Configuring Protocol Vlan

    Part 9 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 230: Overview

    Configuring Protocol VLAN Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze specific fields of received packets, encapsulate the packets in specific formats, and forward the packets with different protocols to the corresponding VLANs.

  • Page 231: Protocol Vlan Configuration

    3) Configure Protocol VLAN. Configuration Guidelines ■ You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates. ■ In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet.

  • Page 232: Creating Protocol Template

    Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Check the Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Config section.

  • Page 233: Configuring Protocol Vlan

    Configuring Protocol VLAN Protocol VLAN Configuration DSAP Enter the DSAP value for the protocol template. It is available when LLC is selected. It is the DSAP field in the frame and is used to identify the data type of the frame. SSAP Enter the SSAP value for the protocol template.

  • Page 234: Using The Cli

    Configuring Protocol VLAN Protocol VLAN Configuration 802.1p Priority Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority. 2) Select the desired ports.

  • Page 235: Configuring Protocol Vlan

    Configuring Protocol VLAN Protocol VLAN Configuration The following example shows how to create an IPv6 protocol template: Switch#configure Switch(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd Switch(config)#show protocol-vlan template Index Protocol Name Protocol Type ------- ----------------- -------------------------------- EthernetII ether-type 0800 EthernetII ether-type 0806 RARP EthernetII ether-type 8035...
  • Page 236 Configuring Protocol VLAN Protocol VLAN Configuration Step 5 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 6 protocol-vlan group entry-id Add the specified port to the protocol group.
  • Page 237 Configuring Protocol VLAN Protocol VLAN Configuration Index Protocol-Name VID Priority Member ------ ------------------ ------ -------- ------------ IPv6 Gi1/0/2 Switch(config-if)#end Switch#copy running-config startup-config User Guide...

  • Page 238: Configuration Example

    Configuring Protocol VLAN Configuration Example Configuration Example 3.1 Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.
  • Page 239 Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20 and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.

  • Page 240: Using The Gui

    Configuring Protocol VLAN Configuration Example 3.3 Using the GUI ■ Configurations for Switch 1 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add untagged port 1/0/1 and untagged port 1/0/3 to VLAN 10.
  • Page 241 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add untagged ports 1/0/2-3 to VLAN 20. Click Create. Figure 3-3 Create VLAN 20 3) Click to save the settings. User Guide...
  • Page 242 Configuring Protocol VLAN Configuration Example ■ Configurations for Switch 2 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10, and add tagged port 1/0/1 and untagged port 1/0/2 to VLAN 10.
  • Page 243 Configuring Protocol VLAN Configuration Example 2) Click to load the following page. Create VLAN 20, and add tagged port 1/0/1 and untagged port 1/0/3 to VLAN 20. Click Create. Figure 3-5 Create VLAN 20 User Guide...
  • Page 244 Configuring Protocol VLAN Configuration Example 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20 respectively . Click Apply. Figure 3-6 Port Configuration 4) Choose the menu L2 FEATURES >...
  • Page 245 Configuring Protocol VLAN Configuration Example Figure 3-8  Configure the IPv4 Protocol Group Figure 3-9 Configure the IPv6 Protocol Group 6) Click to save the settings. User Guide...

  • Page 246: Using The Cli

    Configuring Protocol VLAN Configuration Example 3.4 Using the CLI ■ Configurations for Switch 1 1) Create VLAN 10 and VLAN 20. Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name IPv4 Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name IPv6 Switch_1(config-vlan)#exit 2) Add untagged port 1/0/1 to VLAN 10. Add untagged port 1/0/2 to VLAN 20. Add untagged port 1/0/3 to both VLAN10 and VLAN 20.
  • Page 247 Configuring Protocol VLAN Configuration Example Switch_2(config-vlan)#name IPv6 Switch_2(config-vlan)#exit 2) Add tagged port 1/0/1 to both VLAN 10 and VLAN 20. Specify the PVID of untagged port 1/0/2 as 10 and add it to VLAN 10. Specify the PVID of untagged port 1/0/3 as 20 and add it to VLAN 20.
  • Page 248 Configuring Protocol VLAN Configuration Example 5) Add port 1/0/1 to the protocol groups. Switch_2(config)#show protocol-vlan vlan Index Protocol-Name Member ---- --------------- ---------- ------------- IPv6 Switch_2(config)#interface gigabitEthernet 1/0/1 Switch_2(config-if)#protocol-vlan group 1 Switch_2(config-if)#protocol-vlan group 2 Switch_2(config-if)#exit Switch_2(config)#end Switch_2#copy running-config startup-config Verify the Configurations ■...
  • Page 249 Configuring Protocol VLAN Configuration Example VLAN Name Status Ports ------- ------------- ---------- -------------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28 IPv4 active Gi1/0/1, Gi1/0/2 IPv6 active Gi1/0/1, Gi1/0/3 Verify protocol group configuration: Switch_2#show protocol-vlan vlan Index Protocol-Name Priority Member --------...

  • Page 250: Appendix: Default Parameters

    Configuring Protocol VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table. Table 4-1 Default Settings of Protocol VLAN Parameter Default Setting Ethernet II ether-type 0800 Ethernet II ether-type 0806 Protocol Template Table RARP Ethernet II ether-type 8035 SNAP ether-type 8137...

  • Page 251: Configuring Vlan-Vpn

    Part 10 Configuring VLAN-VPN CHAPTERS 1. VLAN-VPN 2. Basic VLAN-VPN Configuration 3. Flexible VLAN-VPN Configuration 4. Configuration Examples 5. Appendix: Default Parameters...

  • Page 252: Vlan-Vpn

    Configuring VLAN-VPN VLAN-VPN VLAN-VPN 1.1 Overview VLAN-VPN (Virtual Private Network) is an easy-to-implement layer 2 VLAN technology, and it is usually deployed at the edge of the ISP (Internet Service Provider) network. With VLAN-VPN, when forwarding packets from the customer network to the ISP network, the switch adds an outer tag to the packets with outer VLAN ID.

  • Page 253: Supported Features

    Configuring VLAN-VPN VLAN-VPN 1.2 Supported Features The VLAN-VPN function includes: basic VLAN-VPN and flexible VLAN-VPN (VLAN mapping). Basic VLAN-VPN All packets from customer VLANs are encapsulated with the same VLAN tag of the ISP network, and sent to the ISP network. Additionally, you can set the TPID (Tag Protocol Identifier) for compatibility with devices in the ISP network.

  • Page 254: Basic Vlan-Vpn Configuration

    Configuring VLAN-VPN Basic VLAN-VPN Configuration Basic VLAN-VPN Configuration To complete the basic VLAN-VPN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Configure NNI ports and UNI ports. 3) Enable VLAN-VPN globally. Configuration Guidelines ■ The TPID preset by the switch is 0x8100. If the devices in the ISP network do not support this value, you should change it to ensure VLAN-VPN packets sent to the ISP network can be recognized and forwarded by devices of other manufacturers.

  • Page 255: Configuring Basic Vlan-Vpn

    Configuring VLAN-VPN Basic VLAN-VPN Configuration 2.1.2 Configuring Basic VLAN-VPN Choose the menu L2 FEATURES > VLAN > VLAN VPN > VPN Config to load the following page. Figure 2-1 Basic VPN Configuration Follow these steps to configure the basic VLAN-VPN parameters: 1) In the Global Config section, enable VLAN VPN globally, and click Apply.

  • Page 256: Using The Cli

    Configuring VLAN-VPN Basic VLAN-VPN Configuration TPID Specify the value of TPID. TPID is a field of VLAN tag and is modified to make the double tagged packets identifiable to devices from different vendors. Missdrop Enable the Missdrop feature. This option only can take effect on tagged packets. With Missdrop enabled, the tagged packets that don’t match the VLAN Mapping entries will be dropped.
  • Page 257 Configuring VLAN-VPN Basic VLAN-VPN Configuration Step 4 switchport dot1q-tunnel mode { nni | uni } Select the port role that will take effect in the VLAN-VPN function. : NNI ports are usually connected to the ISP network, and the packets forwarded by these port have outer VLAN tags.
  • Page 258 Configuring VLAN-VPN Basic VLAN-VPN Configuration The following example shows how to enable the VLAN-VPN feature globally, set port 1/0/1 of switch as the UNI port and 1/0/2 as the NNI port: Switch#configure Switch(config)#dot1q-tunnel Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport dot1q-tunnel mode uni Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport dot1q-tunnel mode nni...

  • Page 259: Flexible Vlan-Vpn Configuration

    Configuring VLAN-VPN Flexible VLAN-VPN Configuration Flexible VLAN-VPN Configuration To complete the flexible VLAN-VPN configuration, follow these steps: 1) Configure 802.1Q VLAN and basic VLAN-VPN. 2) Configure VLAN mapping. Configuration Guidelines ■ Before you start, configure 802.1Q VLAN and the basic VLAN-VPN. ■...

  • Page 260: Using The Cli

    Configuring VLAN-VPN Flexible VLAN-VPN Configuration Figure 3-2 Create VLAN Mapping Entry Port For T2600G-28TS/T2600G-28TS-DC/T2600G-28MPS/T2600G-28SQ/T2600G- 52TS, choose a UNI port to enable VLAN mapping. For T2600G-18TS, choose a NNI port to enable VLAN mapping. C VLAN Specify the customer VLAN of the UNI port by entering the VLAN ID or VLAN Name.
  • Page 261 Configuring VLAN-VPN Flexible VLAN-VPN Configuration Step 4 switchport dot1q-tunnel mapping c-vlan sp-vlan [ descript ] Set VLAN mapping entries for the specified port. c vlan Enter VLAN ID of the customer network. sp vlan: Enter VLAN ID of the ISP network. descript: Give a description to identify the VLAN Mapping.

  • Page 262: Configuration Examples

    Configuring VLAN-VPN Configuration Examples Configuration Examples 4.1 Example for Basic VLAN VPN 4.1.1 Network Requirements A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and the TPID adopted by the ISP network is 0x9100.

  • Page 263: Using The Gui

    Configuring VLAN-VPN Configuration Examples 1) Configure 802.1Q VLAN on switch 1. The parameters are shown below: VLAN 100 VLAN 200 VLAN 1050 PVID Port 1/0/1 Tagged Keep the default value Port 1/0/2 Tagged Tagged Untagged 1050 2) Configure 802.1Q VLAN on switch 3. The parameters are shown below: VLAN 100 VLAN 200 PVID...
  • Page 264 Configuring VLAN-VPN Configuration Examples Figure 4-2 Create VLAN 100 User Guide...
  • Page 265 Configuring VLAN-VPN Configuration Examples Figure 4-3 Create VLAN 200 User Guide...
  • Page 266 Configuring VLAN-VPN Configuration Examples Figure 4-4 Create VLAN 1050 2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 1050 for port 1/0/2 and leave the default vaule 1 for port 1/0/1. Figure 4-5 Configuring PVID 3) Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port.
  • Page 267 Configuring VLAN-VPN Configuration Examples Figure 4-6 Enabling VLAN VPN Globally and Configuring the Ports 4) Click to save the settings. ■ Configuring Switch 3: 1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged;...
  • Page 268 Configuring VLAN-VPN Configuration Examples Figure 4-7 Creating VLAN 100 User Guide...

  • Page 269: Using The Cli

    Configuring VLAN-VPN Configuration Examples Figure 4-8 Creating VLAN 200 2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2. Figure 4-9 Configuring PVID 3) Click to save the settings. 4.1.4 Using the CLI The configurations of Switch 1 and Switch 2 are similar.
  • Page 270 Configuring VLAN-VPN Configuration Examples Switch_1(config)#vlan 1050 Switch_1(config-vlan)#name SP_VLAN Switch_1(config-vlan)#exit Switch_1(config)#vlan 100 Switch_1(config-vlan)#name C_VLAN100 Switch_1(config-vlan)#exit Switch_1(config)#vlan 200 Switch_1(config-vlan)#name C_VLAN200 Switch_1(config-vlan)#exit 2) Add port 1/0/1 to VLAN 1050 as tagged port, modify PVID as 1050, set the port as NNI port and specify the TPID as 9100. Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 1050 tagged Switch_1(config-if)#switchport pvid1050...
  • Page 271 Configuring VLAN-VPN Configuration Examples Switch_3#configure Switch_3(config)#vlan 100 Switch_3(config-vlan)#name C_VLAN100 Switch_3(config-vlan)#exit Switch_3(config)#vlan 200 Switch_3(config-vlan)#name C_VLAN200 Switch_3(config-vlan)#exit 2) Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports. Configure the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.
  • Page 272 Configuring VLAN-VPN Configuration Examples Port Type Tpid Use Inner Priority ------- ------- ------- ----------------- Gi1/0/1 0x9100 Disable Gi1/0/2 0x8100 Enable Gi1/0/3 NONE 0x8100 Disable Gi1/0/4 NONE 0x8100 Disable Verify the port configuration: Switch_3#show interface switchport gigabitEthernet 1/0/1 Port Gi1/0/1: PVID: 1050 Acceptable frame type: All Ingress Checking: Enable Member in LAG: N/A...

  • Page 273: Example For Flexible Vlan Vpn

    Configuring VLAN-VPN Configuration Examples Vlan Name Egress-rule ---- ----------- ----------- System-VLAN Untagged C_VLAN100 Tagged C_VLAN200 Tagged 1050 SP_VLAN Untagged 4.2 Example for Flexible VLAN VPN 4.2.1 Network Requirements A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively.

  • Page 274: Using The Gui

    Configuring VLAN-VPN Configuration Examples from VLAN 100 and VLAN 200 will be transmitted through VLAN 1050 and VLAN 1060 respectively. Here we only introduce the configuration scheme on Switch 1 and Switch 3, for the configurations on Switch 2 are the same as that on Switch 1, and the configurations on Switch 4 are the same as that on Switch 3.
  • Page 275 Configuring VLAN-VPN Configuration Examples Figure 4-11 Create VLAN 100 User Guide...
  • Page 276 Configuring VLAN-VPN Configuration Examples Figure 4-12 Create VLAN 200 User Guide...
  • Page 277 Configuring VLAN-VPN Configuration Examples Figure 4-13 Create VLAN 1050 User Guide...
  • Page 278 Configuring VLAN-VPN Configuration Examples Figure 4-14 Create VLAN 1060 2) Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port. Specify the TPID of port 1/0/1 as 9100.
  • Page 279 Configuring VLAN-VPN Configuration Examples Figure 4-16 Mapping VLAN 100 to VLAN 1050 Figure 4-17 Mapping VLAN 200 to VLAN 1060 4) Click to save the settings. ■ Configuring Switch 3: 1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged;...
  • Page 280 Configuring VLAN-VPN Configuration Examples Figure 4-18 Creating VLAN 100 User Guide...

  • Page 281: Using The Cli

    Configuring VLAN-VPN Configuration Examples Figure 4-19 Creating VLAN 200 2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2. Figure 4-20 Configuring PVID 3) Click to save the settings. 4.2.4 Using the CLI ■...
  • Page 282 Configuring VLAN-VPN Configuration Examples Switch_1(config)#vlan 1050 Switch_1(config-vlan)#name SP_VLAN1050 Switch_1(config-vlan)#exit Switch_1(config)#vlan 1060 Switch_1(config-vlan)#name SP_VLAN1060 Switch_1(config-vlan)#exit Switch_1(config)#vlan 100 Switch_1(config-vlan)#name C_VLAN100 Switch_1(config-vlan)#exit Switch_1(config)#vlan 200 Switch_1(config-vlan)#name C_VLAN200 Switch_1(config-vlan)#exit 2) Add port 1/0/1 to VLAN 1050 and VLAN 1060 as tagged port, set the port as NNI port and specify the TPID as 9100.
  • Page 283 Configuring VLAN-VPN Configuration Examples Switch_1(config-if)#exit 5) Enable VLAN VPN globally Switch_1(config)#dot1q-tunnel Switch_1(config)#end Switch_1#copy running-config startup-config ■ Configuring Switch 3 1) Create VLAN 100 and VLAN 200. Switch_3#configure Switch_3(config)#vlan 100 Switch_3(config-vlan)#name C_VLAN100 Switch_3(config-vlan)#exit Switch_3(config)#vlan 200 Switch_3(config-vlan)#name C_VLAN200 Switch_3(config-vlan)#exit 2) Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports.

  • Page 284: Appendix: Default Parameters

    Configuring VLAN-VPN Appendix: Default Parameters Appendix: Default Parameters Default settings of VLAN VPN are listed in the following table. Table 5-1 Default Settings of VLAN VPN Parameter Default Setting Global VLAN VPN Disabled Port Role None Global TPID 0x8100 Missdrop Disabled Use Inner Priority Disabled...

  • Page 285: Configuring Gvrp

    Part 11 Configuring GVRP CHAPTERS 1. Overview 2. GVRP Configuration 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 286: Overview

    Configuring GVRP Overview Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation. Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device.

  • Page 287: Gvrp Configuration

    Configuring GVRP GVRP Configuration GVRP Configuration To complete GVRP configuration, follow these steps: 1) Create a VLAN. 2) Enable GVRP globally. 3) Enable GVRP on each port and configure the corresponding parameters. Configuration Guidelines To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.

  • Page 288: Using The Gui

    Configuring GVRP GVRP Configuration 2.1 Using the GUI Choose the menu L2 FEATURES > VLAN > GVRP > GVRP Config to load the following page. Figure 2-1 GVRP Config Follow these steps to configure GVRP: 1) In the GVRP section, enable GVRP globally, then click Apply. 2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.

  • Page 289: Using The Cli

    Configuring GVRP GVRP Configuration LeaveAll Timer When a GARP participant is enabled, the LeaveAll timer will be started. When (centisecond) the LeaveAll timer expires, the GARP participant will send LeaveAll messages to request other GARP participants to re-register all its attributes. After that, the participant restarts the LeaveAll timer.
  • Page 290 Configuring GVRP GVRP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 gvrp Enable GVRP on the port.
  • Page 291 Configuring GVRP GVRP Configuration Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: • The member port of an LAG follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

  • Page 292: Configuration Example

    Configuring GVRP Configuration Example Configuration Example 3.1 Network Requirements Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.

  • Page 293: Using The Gui

    Configuring GVRP Configuration Example Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.3 Using the GUI GVRP configurations for Switch 3 are the same as Switch 1, and Switch 4 are the same as Switch 2.
  • Page 294 Configuring GVRP Configuration Example 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. Figure 3-3 GVRP Configuration 3) Click to save the settings.
  • Page 295 Configuring GVRP Configuration Example Figure 3-4 Create VLAN 20 2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply. User Guide...
  • Page 296 Configuring GVRP Configuration Example Figure 3-5 GVRP Configuration 3) Click to save the settings. ■ Configurations for Switch 5 1) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select ports 1/0/1-3, set Status as Enable, and keep the Registration Mode and the values of the timers as default.

  • Page 297: Using The Cli

    Configuring GVRP Configuration Example Figure 3-6 GVRP Configuration 2) Click to save the settings. 3.4 Using the CLI GVRP configurations for Switch 3 is the same as Switch 1, and Switch 4 is the same as Switch 2. Other switches share similar configurations. The following configuration procedures take Switch 1, Switch 2 and Switch 5 as examples.
  • Page 298 Configuring GVRP Configuration Example Switch_1(config)#interface gigabitEthernet 1/0/1 Switch_1(config-if)#switchport general allowed vlan 10 tagged Switch_1(config-if)#gvrp Switch_1(config-if)#gvrp registration fixed Switch_1(config-if)#end Switch_1#copy running-config startup-config ■ Configurations for Switch 2 1) Enable GVRP globally. Switch_2#configure Switch_2(config)#gvrp 2) Create VLAN 20. Switch_2(config)#vlan 20 Switch_2(config-vlan)#name Department_B Switch_2(config-vlan)#exit 3) Add port 1/0/1 as a tagged port to VLAN 20.
  • Page 299 Configuring GVRP Configuration Example Switch_5#copy running-config startup-config Verify the Configuration ■ Switch 1 Verify the global GVRP configuration: Switch_1#show gvrp global GVRP Global Status ------------------ Enabled Verify GVRP configuration for port 1/0/1: Switch_1#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------...
  • Page 300 Configuring GVRP Configuration Example Gi1/0/2 Disabled Normal 1000 ■ Switch 5 Verify global GVRP configuration: GVRP Global Status ------------------ Enabled Verify GVRP configuration for ports 1/0/1-3: Switch_5#show gvrp interface Port Status Reg-Mode LeaveAll JoinIn Leave LAG ---- ------ -------- ------- ------ ----- Gi1/0/1 Enabled...

  • Page 301: Appendix: Default Parameters

    Configuring GVRP Appendix: Default Parameters Appendix: Default Parameters Default settings of GVRP are listed in the following tables. Table 4-1 Default Settings of GVRP Parameter Default Setting Global Config GVRP Disabled Port Config Status Disabled Registration Mode Normal LeaveAll Timer 1000 centiseconds Join Timer 20 centiseconds...

  • Page 302: Configuring Private Vlan

    Part 12 Configuring Private VLAN CHAPTERS 1. Overview 2. Private VLAN Configurations 3. Configuration Example 4. Appendix: Default Parameters...

  • Page 303: Overview

    Configuring Private VLAN Overview Note: T2600G-18TS does not support Private VLAN. Overview Common large networks such as ISP networks generally isolate users by VLANs. However, with the increasing number of users, upper-layer devices have to create large amount of VLANs to manage all the users. According to IEEE 802.1Q protocol, each upper- layer device can create no more than 4094 VLANs, which means upper-layer devices in backbone networks will face shortage of VLANs.
  • Page 304 Configuring Private VLAN Overview If private VLAN is configured on Switch B, Switch A only needs to recognize primary VLAN, VLAN5; and end users can be isolated by secondary VLANs, VLAN2, VLAN3 and VLAN4, saving VLAN resources for Switch A. Figure 1-2 Topology of Private VLAN Switch A Switch B...

  • Page 305: Private Vlan Configurations

    Configuring Private VLAN Private VLAN Configurations Private VLAN Configurations 2.1 Using the GUI Note: If you need to create a private VLAN with existing VLANs, delete all member ports of the existing VLANs before creating the private VLAN. Choose the menu L2 FEATURES > VLAN > Private VLAN and click to load the following page.

  • Page 306: Using The Cli

    Configuring Private VLAN Private VLAN Configurations 1) Enter the IDs of Primary VLAN and Secondary VLAN, and select Secondary VLAN Type. Primary VLAN Enter an ID for Primary VLAN. A primary VLAN can pair with more than one secondary VLANs to compose several private VLANs. Secondary Enter an ID or an ID list for Secondary VLAN.
  • Page 307 Configuring Private VLAN Private VLAN Configurations Step 2 vlan vlan-list Specify Primary VLAN ID, and enter VLAN configuration mode. vlan-list : Specify the ID or the ID list of the VLAN(s) for configuration. The ID ranges from 2 to 4094, for example, 2-3,5. Step 3 private-vlan primary Specify the VLAN to be the primary VLAN.

  • Page 308: Configuring The Up-Link Port

    Configuring Private VLAN Private VLAN Configurations The following example shows how to create primary VLAN 6 and secondary VLAN 5, set the secondary VLAN type as community, and pair primary VLAN 6 with secondary VLAN 5 as a private VLAN. Switch#configure Switch(config)#vlan 6 Switch(config-vlan)#private-vlan primary...
  • Page 309 Configuring Private VLAN Private VLAN Configurations Step 4 switchport private-vlan mapping primary-vlan-id secondary-vlan-id Add the specified port(s) to the private VLAN. primary-vlan-id : Specify the ID of the primary VLAN. The ID ranges from 2 to 4094. secondary-vlan-id : Specify the ID of the secondary VLAN. The ID ranges from 2 to 4094. Step 5 show vlan private-vlan Verify configurations of private VLAN.

  • Page 310: Configuring The Down-Link Port

    Configuring Private VLAN Private VLAN Configurations Gi1/0/2 Promiscuous Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring the Down-link Port Follow these steps to add down-link ports to Private VLAN: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
  • Page 311 Configuring Private VLAN Private VLAN Configurations Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#switchport private-vlan host Swtich(config-if)#switchport private-vlan host-association 6 5 community Switch(config-if)#exit Switch(config)#show vlan private-vlan Primary Secondary Type Ports --------- ------------- --------------- -------------- Community Gi1/0/3 Switch(config)#show vlan private-vlan interface gigabitEthernet 1/0/3 Port type --------- ---------- Gi1/0/3...

  • Page 312: Configuration Example

    Configuring Private VLAN Configuration Example Configuration Example 3.1 Network Requirements Usually, an ISP divides its network into subnets to differentiate different areas by using VLAN. Company A belongs to Area VI which is marked as VLAN 6 by the ISP. It is required that departments in Company A can achieve Layer 2 isolation by using VLAN and users in the same department can communicate with each other.

  • Page 313: Using The Gui

    Configuring Private VLAN Configuration Example Figure 3-1 Network Topology Switch C Gi1/0/3 Gi1/0/2 VLAN6 Company A Switch A Gi1/0/10 Gi1/0/11 VLAN5 VLAN7 3.4 Using the GUI ■ Configurations for Switch A 1) Choose the menu L2 FEATURES > VLAN > Private VLAN and click to load the following page.
  • Page 314 Configuring Private VLAN Configuration Example Figure 3-2 Creating Primary VLAN 6 and Secondary VLAN 5 2) Choose the menu L2 FEATURES > VLAN > Private VLAN and click to load the following page. Create primary VLAN 6 and secondary VLAN 7, select Community as the Secondary VLAN Type.
  • Page 315 Configuring Private VLAN Configuration Example Figure 3-3 Creating Primary VLAN 6 and Secondary VLAN 7 3) Click to save the settings. ■ Configurations for Switch C 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.
  • Page 316 Configuring Private VLAN Configuration Example Figure 3-4 Creating VLAN 6 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/3 as 6. Click Apply. User Guide...

  • Page 317: Using The Cli

    Configuring Private VLAN Configuration Example Figure 3-5 Cpecifying the PVID 3) Click to save the settings. 3.5 Using the CLI ■ Configurations for Switch A 1) Enter global configuration mode. Switch_A>enable Switch_A#configure 2) Create primary VLAN 6 and secondary VLAN 5, and pair them into a private VLAN. Switch_A(config)#vlan 6 Switch_A(config-vlan)#private-vlan primary Switch_A(config-vlan)#exit...
  • Page 318 Configuring Private VLAN Configuration Example Switch_A(config)#vlan 7 Switch_A(config-vlan)#private-vlan community Switch_A(config-vlan)#exit Switch_A(config)#vlan 6 Switch_A(config-vlan)#private-vlan association 7 Switch_A(config-vlan)#exit 4) Add up-link port to the corresponding private VLAN and configure the port type as Promiscuous. Switch_A(config)#interface gigabitEthernet 1/0/2 Switch_A(config-if)#switchport private-vlan promiscuous Switch_A(config-if)#switchport private-vlan mapping 6 5 Switch_A(config-if)#exit 5) Add down-link port to the corresponding private VLAN and configure the port type as Host.
  • Page 319 Configuring Private VLAN Configuration Example Switch_C(config)#interface gigabitEthernet 1/0/3 Switch_C(config-if)#switchport pvid 6 Switch_C(config-if)#switchport general allowed vlan 6 untagged Switch_C(config-if)#end Switch_C#copy running-config startup-config Verify the Configurations ■ Switch A Verify the configuration of private VLAN: Switch_A#show vlan private-vlan Primary Secondary Type Ports --------- ------------- ---------------...
  • Page 320 Configuring Private VLAN Configuration Example ■ Switch C Verify the configuration of 802.1Q VLAN: Switch_C#show vlan VLAN Name Status Ports ----- ------------------ --------- ---------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28...

  • Page 321: Appendix: Default Parameters

    Configuring Private VLAN Appendix: Default Parameters Appendix: Default Parameters Default settings of Private VLAN are listed in the following tables. Table 4-1 Default Settings of Private VLAN Parameter Default Setting Primary VLAN None Secondary VLAN None Secondary VLAN Type Community User Guide...

  • Page 322: Configuring Layer 2 Multicast

    Part 13 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configuration 3. MLD Snooping Configuration 4. MVR Configuration 5. Multicast Filtering Configuration 6. Viewing Multicast Snooping Information 7. Configuration Examples 8. Appendix: Default Parameters...

  • Page 323: Layer 2 Multicast

    Configuring Layer 2 Multicast Layer 2 Multicast Layer 2 Multicast 1.1 Overview In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth.
  • Page 324 Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission Multicast packets transmission without IGMP Snooping with IGMP Snooping IGMP Querier IGMP Querier Source Source Router Port Snooping Switch Non-Snooping Switch Member Port Member Port Host A Host B Host C...

  • Page 325: Supported Features

    Configuring Layer 2 Multicast Layer 2 Multicast 1.2 Supported Features Layer 2 Multicast protocol for IPv4: IGMP Snooping On the Layer 2 device, IGMP Snooping transmits data on demand on data link layer by analyzing IGMP packets between the IGMP querier and the users, to build and maintain Layer 2 multicast forwarding table.

  • Page 326: Igmp Snooping Configuration

    Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Snooping Configuration To complete IGMP Snooping configuration, follow these steps: 1) Enable IGMP Snooping globally and configure the global parameters. 2) Configure IGMP Snooping for VLANs. 3) Configure IGMP Snooping for ports. 4) (Optional) Configure the advanced IGMP Snooping features: ■...

  • Page 327: Configuring Igmp Snooping For Vlans

    Configuring Layer 2 Multicast IGMP Snooping Configuration IGMP Version Specify the IGMP version. v1: The switch works as an IGMPv1 Snooping switch. It can only process IGMPv1 messages from the host. Messages of other versions are ignored. v2: The switch works as an IGMPv2 Snooping switch. It can process both IGMPv1 and IGMPv2 messages from the host.
  • Page 328 Configuring Layer 2 Multicast IGMP Snooping Configuration Figure 2-2 Configure IGMP Snooping for VLAN Follow these steps to configure IGMP Snooping for a specific VLAN: 1) Enable IGMP Snooping for the VLAN, and configure the corresponding parameters. VLAN ID Displays the VLAN ID. IGMP Snooping Enable or disable IGMP Snooping for the VLAN.
  • Page 329 Configuring Layer 2 Multicast IGMP Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. IGMPv1 does not support Fast Leave. Without Fast Leave, after a receiver sends an IGMP leave message to leave a multicast group, the switch will forward the leave message to the Layer 3 device (the querier).
  • Page 330 Configuring Layer 2 Multicast IGMP Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a leave message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.

  • Page 331: Configuring Igmp Snooping For Ports

    Configuring Layer 2 Multicast IGMP Snooping Configuration 2.1.3 Configuring IGMP Snooping for Ports Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config � to load the following page. Figure 2-3 Configure IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: 1) Enable IGMP Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.

  • Page 332: Configuring Igmp Accounting And Authentication Features

    Configuring Layer 2 Multicast IGMP Snooping Configuration Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Static Group Config and click to load the following page. Figure 2-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.
  • Page 333 Configuring Layer 2 Multicast IGMP Snooping Configuration Choose the menu L2 FEATURES > Multicast > IGMP Snooping > IGMP Authentication to load the following page. Figure 2-5 Configure IGMP Accounting and Authentication Follow these steps to enable IGMP accounting: 1) In the Global Config section, enable IGMP Accounting globally. Accounting Enable or disable IGMP Accounting.

  • Page 334: Using The Cli

    Configuring Layer 2 Multicast IGMP Snooping Configuration 2.2 Using the CLI 2.2.1 Configuring IGMP Snooping Globally Follow these steps to configure IGMP Snooping globally: Step 1 configure Enter global configuration mode. Step 2 ip igmp snooping Enable IGMP Snooping Globally. Step 3 ip igmp snooping version {v1 | v2 | v3} Configure the IGMP version.

  • Page 335: Configuring Igmp Snooping For Vlans

    Configuring Layer 2 Multicast IGMP Snooping Configuration The following example shows how to enable IGMP Snooping and header validation globally, and specify the IGMP Snooping version as IGMPv3, the way how the switch processes multicast streams that are sent to unknown multicast groups as discard. Switch#configure Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping version v3...
  • Page 336 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 2 ip igmp snooping vlan-config vlan-id-list mtime member-time Enable IGMP Snooping for the specified VLANs, and specify the member port aging time for the VLANs. vlan-id-list: Specify the ID or the ID list of the VLAN(s). member-time: Specify the aging time of the member ports in the specified VLANs.
  • Page 337 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 5 ip igmp snooping vlan-config vlan-id-list report-suppression (Optional) Enable the Report Suppression for the VLANs. By default, it is disabled. When enabled, the switch will only forward the first IGMP report message for each multicast group to the IGMP querier and suppress subsequent IGMP report messages for the same multicast group during one query interval.
  • Page 338 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 9 ip igmp snooping vlan-config vlan-id-list querier (Optional) Enable the IGMP Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an IGMP Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives leave messages from hosts.
  • Page 339 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#ip igmp snooping vlan-config 1 immediate-leave Switch(config)#ip igmp snooping vlan-config 1 report-suppression Switch(config)#show ip igmp snooping vlan 1 Vlan Id: 1 Vlan IGMP Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time:320 Member Time: 300 Querier: Disable Switch(config)#end...

  • Page 340: Configuring Igmp Snooping For Ports

    Configuring Layer 2 Multicast IGMP Snooping Configuration Last Member Query Count: General Query Source IP: 192.168.0.5 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring IGMP Snooping for Ports Follow these steps to configure IGMP Snooping for ports: Step 1 configure Enter global configuration mode. interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range Step 2 gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list |...

  • Page 341: Configuring Hosts To Statically Join A Group

    Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config-if-range)#ip igmp snooping immediate-leave Switch(config-if-range)#show ip igmp snooping interface gigabitEthernet 1/0/1-3 Port IGMP-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 2.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.

  • Page 342: Configuring Igmp Accounting And Authentication Features

    Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#show ip igmp snooping groups static Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- 239.1.2.3 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring IGMP Accounting and Authentication Features You can enable IGMP accounting and authentication according to your need. IGMP accounting is configured globally, and IGMP authentication can be enabled on a per-port basis.
  • Page 343 Configuring Layer 2 Multicast IGMP Snooping Configuration Step 3 ip igmp snooping accouting Enable IGMP accounting globally. Step 4 show ip igmp snooping Show the basic IGMP Snooping configuration. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file.
  • Page 344 Configuring Layer 2 Multicast IGMP Snooping Configuration Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable IGMP authentication on port 1/0/1-3: Switch#configure Switch(config)#interface range gigabitEhternet 1/0/1-3 Switch(config-if-range)#ip igmp snooping authentication Switch(config-if-range)#show ip igmp snooping interface gigabitEthernet 1/0/1-3 authentication Port IGMP-Authentication -----------...

  • Page 345: Mld Snooping Configuration

    Configuring Layer 2 Multicast MLD Snooping Configuration MLD Snooping Configuration To complete MLD Snooping configuration, follow these steps: 1) Enable MLD Snooping globally and configure the global parameters. 2) Configure MLD Snooping for VLANs. 3) Configure MLD Snooping for ports. 4) (Optional) Configure hosts to statically join a group.

  • Page 346: Configuring Mld Snooping For Vlans

    Configuring Layer 2 Multicast MLD Snooping Configuration 2) Click Apply. 3.1.2 Configuring MLD Snooping for VLANs Before configuring MLD Snooping for VLANs, set up the VLANs that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
  • Page 347 Configuring Layer 2 Multicast MLD Snooping Configuration Fast Leave Enable or disable Fast Leave for the VLAN. Without Fast Leave, after a receiver sends an MLD done message (equivalent to an IGMP leave message) to leave a multicast group, the switch will forward the done message to the Layer 3 device (the querier).
  • Page 348 Configuring Layer 2 Multicast MLD Snooping Configuration Leave Time Specify the leave time for the VLAN. When the switch receives a done message from a port to leave a multicast group, it will wait for a leave time before removing the port from the multicast group. During the period, if the switch receives any report messages from the port, the port will not be removed from the multicast group.

  • Page 349: Configuring Mld Snooping For Ports

    Configuring Layer 2 Multicast MLD Snooping Configuration 3.1.3 Configuring MLD Snooping for Ports Choose the menu L2 FEATURES > Multicast > MLD Snooping > Port Config to load the following page. Figure 3-3 Configure MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: 1) Enable MLD Snooping for the port and enable Fast Leave if there is only one receiver connected to the port.

  • Page 350: Using The Cli

    Configuring Layer 2 Multicast MLD Snooping Configuration Choose the menu L2 FEATURES > Multicast > MLD Snooping > Static Group Config and click to load the following page. Figure 3-4 Configure Hosts to Statically Join a Group Follow these steps to configure hosts to statically join a group: 1) Specify the multicast IP address, VLAN ID.

  • Page 351: Configuring Mld Snooping For Vlans

    Configuring Layer 2 Multicast MLD Snooping Configuration Step 3 ipv6 mld snooping drop-unknown (Optional) Configure the way how the switch processes multicast streams that are sent to unknown multicast groups as Discard. By default, it is Forward. Unknown multicast groups are multicast groups that do not match any of the groups announced in earlier IGMP membership reports, and thus cannot be found in the multicast forwarding table of the switch.
  • Page 352 Configuring Layer 2 Multicast MLD Snooping Configuration Follow these steps to configure MLD Snooping for VLANs: Step 1 configure Enter global configuration mode. Step 2 ipv6 mld snooping vlan-config vlan-id-list mtime member-time Enable MLD Snooping for the specified VLANs, and specify the member port aging time for the VLANs.
  • Page 353 Configuring Layer 2 Multicast MLD Snooping Configuration Step 5 ipv6 mld snooping vlan-config vlan-id-list report-suppression (Optional) Enable Report Suppression for the VLANs. By default, it is disabled. When enabled, the switch will only forward the first MLD report message for each multicast group to the MLD querier and suppress subsequent MLD report messages for the same multicast group during one query interval.
  • Page 354 Configuring Layer 2 Multicast MLD Snooping Configuration Step 9 ipv6 mld snooping vlan-config vlan-id-list querier (Optional) Enable MLD Snooping Querier for the VLAN. By default, it is disabled. When enabled, the switch acts as an MLD Snooping Querier for the hosts in this VLAN. A querier periodically sends a general query on the network to solicit membership information, and sends group-specific queries when it receives done messages from hosts.
  • Page 355 Configuring Layer 2 Multicast MLD Snooping Configuration Switch(config)#show ipv6 mld snooping vlan 1 Vlan Id: 1 Vlan MLD Snooping Status: Enable Fast Leave: Enable Report Suppression: Enable Router Time: Enable Member Time: Enable Querier: Disable Switch(config)#end Switch#copy running-config startup-config The following example shows how to enable MLD Snooping querier for VLAN 1, and configure the query interval as 100 seconds, the maximum response time as 15 seconds, the last listener query interval as 2 seconds, the last listener query count as 3, and the general query source IP as FE80::1:...

  • Page 356: Configuring Mld Snooping For Ports

    Configuring Layer 2 Multicast MLD Snooping Configuration General Query Source IP: fe80::1 Switch(config)#end Switch#copy running-config startup-config 3.2.3 Configuring MLD Snooping for Ports Follow these steps to configure MLD Snooping for ports: Step 1 configure Enter global configuration mode. Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list }...

  • Page 357: Configuring Hosts To Statically Join A Group

    Configuring Layer 2 Multicast MLD Snooping Configuration Port MLD-Snooping Fast-Leave ----------- ------------------- -------------- Gi1/0/1 enable enable Gi1/0/2 enable enable Gi1/0/3 enable enable Switch(config-if-range)#end Switch#copy running-config startup-config 3.2.4 Configuring Hosts to Statically Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also configure hosts to statically join a group.
  • Page 358 Configuring Layer 2 Multicast MLD Snooping Configuration Multicast-ip VLAN-id Addr-type Switch-port ------------ ------- --------- ----------- ff80::1001 static Gi1/0/1-3 Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 359: Mvr Configuration

    Configuring Layer 2 Multicast MVR Configuration MVR Configuration To complete MVR configuration, follow these steps: 1) Configure 802.1Q VLANs. 2) Configure MVR globally. 3) Add multicast groups to MVR. 4) Configure MVR for the ports. 5) Statically add ports to MVR groups. Configuration Guidelines ■...

  • Page 360: Configuring Mvr Globally

    Configuring Layer 2 Multicast MVR Configuration 4.1.2 Configuring MVR Globally Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Figure 4-1 Configure MVR Globally Follow these steps to configure MVR globally: 1) Enable MVR globally and configure the global parameters. Enable or disable MVR globally.

  • Page 361: Adding Multicast Groups To Mvr

    Configuring Layer 2 Multicast MVR Configuration 4.1.3 Adding Multicast Groups to MVR You need to manually add multicast groups to the MVR. Choose the menu L2 FEATURES > Multicast > MVR > MVR Group Config and click to load the following page. Figure 4-2 Add Multicast Groups to MVR Follow these steps to add multicast groups to MVR: 1) Specify the IP address of the multicast groups.

  • Page 362: Configuring Mvr For The Port

    Configuring Layer 2 Multicast MVR Configuration Status Displays the status of the MVR group. In compatible mode, all the MVR groups are added manually, so the status is always active. In dynamic mode, there are two status: Inactive: The MVR group is added successfully, but the source port has not received any query messages from this multicast group.

  • Page 363: Optional) Adding Ports To Mvr Groups Statically

    Configuring Layer 2 Multicast MVR Configuration Type Configure the port type. None: The port is a non-MVR port. If you attempt to configure a non-MVR port with MVR characteristics, the operation will be unsuccessful. Source: Configure the uplink ports that receive and send multicast data on the multicast VLAN as source ports.

  • Page 364: Using The Cli

    Configuring Layer 2 Multicast MVR Configuration Follow these steps to statically add ports to an MVR group: 1) Select the ports to add them to the MVR group. 2) Click Save. 4.2 Using the CLI 4.2.1 Configuring 802.1Q VLANs Before configuring MVR, create an 802.1Q VLAN as the multicast VLAN. Add the all source ports to the multicast VLAN as tagged ports.
  • Page 365 Configuring Layer 2 Multicast MVR Configuration Step 5 mvr querytime time Specify the maximum time to wait for the IGMP membership reports since the switch receives an IGMP leave message on a receiver port. time: Specify the maximum response time. After receiving an IGMP leave message from a receiver port, the switch will send out group-specific queries and wait for IGMP membership reports.

  • Page 366: Configuring Mvr For The Ports

    Configuring Layer 2 Multicast MVR Configuration MVR Multicast Vlan MVR Max Multicast Groups :511 MVR Current Multicast Groups MVR Global Query Response Time :5 (tenths of sec) MVR Mode Type :Compatible Switch(config)#show mvr members status active MVR Group IP status Members ---------------- ---------...
  • Page 367 Configuring Layer 2 Multicast MVR Configuration Step 5 mvr immediate (Optional) Enable the Fast Leave feature of MVR for the port. Only receiver ports support Fast Leave. Before enabling Fast Leave for a port, make sure there is only a single receiver device connecting to the port.
  • Page 368 Configuring Layer 2 Multicast MVR Configuration Switch(config-if-range)#mvr type receiver Switch(config-if-range)#mvr immediate Switch(config-if-range)#mvr vlan 2 group 239.1.2.3 Switch(config-if-range)#show mvr interface gigabitEtnernet 1/0/1-3,1/0/7 Port Mode Type Status Immediate Leave ----------- ---------- ------------ --------------------- --------------------- Gi1/0/1 Enable Receiver INACTIVE/InVLAN Enable Gi1/0/2 Enable Receiver INACTIVE/InVLAN Enable Gi1/0/3...

  • Page 369: Multicast Filtering Configuration

    Configuring Layer 2 Multicast Multicast Filtering Configuration Multicast Filtering Configuration To complete multicast filtering configuration, follow these steps: 1) Create the IGMP profile or MLD profile. 2) Configure multicast groups a port can join and the overflow action. 5.1 Using the GUI 5.1.1 Creating the Multicast Profile You can create multicast profiles for both IPv4 and IPv6 network.
  • Page 370 Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-1 Create IPv4 Profile Follow these steps to create a profile. 1) In the General Config section, specify the Profile ID and Mode. Profile ID Enter a profile ID between 1 and 999. Mode Select Permit or Deny as the filtering mode.

  • Page 371: Configure Multicast Filtering For Ports

    Configuring Layer 2 Multicast Multicast Filtering Configuration Figure 5-2 Configure Multicast Groups to Be Filtered 3) In the Bind Ports section, select your desired ports to be bound with the profile. 4) Click Save. 5.1.2 Configure Multicast Filtering for Ports You can modify the mapping relation between ports and profiles in batches, and configure the number of multicast groups a port can join and the overflow action.

  • Page 372: Using The Cli

    Configuring Layer 2 Multicast Multicast Filtering Configuration Follow these steps to bind the profile to ports and configure the corresponding parameters for the ports: 1) Select one or more ports to configure. 2) Specify the profile to be bound, and configure the maximum groups the port can join and the overflow action.
  • Page 373 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 3 Permit Configure the profile’s filtering mode as permit. Then the profile acts as a whitelist and only allows specific member ports to join specified multicast groups. deny Configure the profile’s filtering mode as deny. Then the profile acts as a blacklist and prevents specific member ports from joining specific multicast groups.
  • Page 374 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 2 ipv6 mld profile id Create a new profile and enter profile configuration mode. Step 3 Permit Configure the profile’s filtering mode as permit. It is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.

  • Page 375: Binding The Profile To Ports

    Configuring Layer 2 Multicast Multicast Filtering Configuration 5.2.2 Binding the Profile to Ports You can bind the created IGMP profile or MLD profile to ports, and configure the number of multicast groups a port can join and the overflow action. Binding the IGMP Profile to Ports Step 1 configure...
  • Page 376 Configuring Layer 2 Multicast Multicast Filtering Configuration The following example shows how to bind the existing Profile 1 to port 1/0/2, and specify the maximum number of multicast groups that port 1/0/2 can join as 50 and the Overflow Action as Drop: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#ip igmp snooping...
  • Page 377 Configuring Layer 2 Multicast Multicast Filtering Configuration Step 4 ipv6 mld snooping max-groups maxgroup Configure the maximum number of multicast groups the port can join. maxgroup : Specify the maximum number of multicast groups the port can join. Valid values are from 1 to 1000.
  • Page 378 Configuring Layer 2 Multicast Multicast Filtering Configuration Gi1/0/2 Switch(config-if)#show ipv6 mld snooping interface gigabitEthernet 1/0/2 max-groups Port Max-Groups Overflow-Action ------------- --------------- --------------------- Gi1/0/2 Drops Switch(config)#end Switch#copy running-config startup-config User Guide...

  • Page 379: Viewing Multicast Snooping Information

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Viewing Multicast Snooping Information You can view the following multicast snooping information: ■ View IPv4 multicast table. ■ View IPv4 multicast statistics on each port. ■ View IPv6 multicast table. ■ View IPv6 multicast statistics on each port. 6.1 Using the GUI 6.1.1 Viewing IPv4 Multicast Table Choose the menu L2 FEATURES >...

  • Page 380: Viewing Ipv4 Multicast Statistics On Each Port

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Forward Ports All ports in the multicast group, including router ports and member ports. 6.1.2 Viewing IPv4 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv4 Multicast Statistics to load the following page: Figure 6-2 IPv4 Multicast Statistics Follow these steps to view IPv4 multicast statistics on each port:...

  • Page 381: Viewing Ipv6 Multicast Table

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Report Packets Displays the number of IGMPv2 report packets received by the port. (v2) Report Packets Displays the number of IGMPv3 report packets received by the port. (v3) Leave Packets Displays the number of leave packets received by the port. Error Packets Displays the number of error packets received by the port.

  • Page 382: Viewing Ipv6 Multicast Statistics On Each Port

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information 6.1.4 Viewing IPv6 Multicast Statistics on Each Port Choose the menu L2 FEATURES > Multicast > Multicast Info > IPv6 Multicast Statistics to load the following page: Figure 6-4 IPv6 Multicast Statistics Follow these steps to view IPv6 multicast statistics on each port: 1) To get the real-time IPv6 multicast statistics, enable Auto Refresh, or click Refresh.

  • Page 383: Using The Cli

    Configuring Layer 2 Multicast Viewing Multicast Snooping Information Done Packets Displays the number of done packets received by the port. Error Packets Displays the number of error packets received by the port. 6.2 Using the CLI 6.2.1 Viewing IPv4 Multicast Snooping Information show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN.

  • Page 384: Configuration Examples

    Configuring Layer 2 Multicast Configuration Examples Configuration Examples 7.1 Example for Configuring Basic IGMP Snooping 7.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast streams sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively.

  • Page 385: Using The Gui

    Configuring Layer 2 Multicast Configuration Examples ■ Enable IGMP Snooping on the ports. Demonstrated with T2600G-28TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 7.1.3 Using the GUI 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.
  • Page 386 Configuring Layer 2 Multicast Configuration Examples Figure 7-3 Configure PVID for the Ports 3) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Global Config to load the following page. In the Global Config section, enable IGMP Snooping globally. Configure the IGMP version as v3 so that the switch can process IGMP messages of all versions.

  • Page 387: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-5 Enable IGMP Snooping in the VLAN 5) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping for ports 1/0/1-4. Figure 7-6 Enable IGMP Snooping on the Ports 6) Click to save the settings.
  • Page 388 Configuring Layer 2 Multicast Configuration Examples Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged. Switch(config)#interface range gigabitEthernet 1/0/1-3 Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface gigabitEthernet 1/0/4...

  • Page 389: Example For Configuring Mvr

    Configuring Layer 2 Multicast Configuration Examples VLAN Name Status Ports ----- -------------------- --------- ---------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, vlan10 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4 Show status of IGMP Snooping globally, on the ports and in the VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable...

  • Page 390: Configuration Scheme

    Configuring Layer 2 Multicast Configuration Examples Figure 7-7 Network Topoloy for Multicast VLAN Source Querier VLAN 40 Gi1/0/4 Gi1/0/1 Gi1/0/3 Gi1/0/2 Host D Host B Host C Receiver Receiver Receiver 7.2.3 Configuration Scheme As the hosts are in different VLANs, in IGMP Snooping, the Querier need to duplicate multicast streams for hosts in each VLAN.
  • Page 391 Configuring Layer 2 Multicast Configuration Examples Figure 7-8 VLAN Configurations for Port 1/0/1-3 Figure 7-9 PVID for Port 1/0/1-3 2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 40 and add port 1/0/4 to the VLAN as Tagged port.
  • Page 392 Configuring Layer 2 Multicast Configuration Examples Figure 7-10 Create Multicast VLAN 3) Choose the menu L2 FEATURES > Multicast > MVR > MVR Config to load the following page. Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40.

  • Page 393: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-12 Add Multicast Group to MVR 5) Choose the menu L2 FEATURES > Multicast > MVR > Port Config to load the following page. Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.
  • Page 394 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#switchport pvid 10 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#switchport pvid 20 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#switchport general allowed vlan 30 untagged Switch(config-if)#switchport pvid 30 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 40 tagged...
  • Page 395 Configuring Layer 2 Multicast Configuration Examples 4) Enable MVR globally, and configure the MVR mode as Dynamic, multicast VLAN ID as 40. Add multicast group 225.1.1.1 to MVR. Switch(config)#mvr Switch(config)#mvr mode dynamic Switch(config)#mvr vlan 40 Switch(config)#mvr group 225.1.1.1 1 5) Enable MVR for port 1/0/1-4. Configure port 1/0/1-3 as Receiver ports and port 1/0/4 as Source port.

  • Page 396: Example For Configuring Unknown Multicast And Fast Leave

    Configuring Layer 2 Multicast Configuration Examples Show the brief information of MVR: Switch(config)#show mvr :Enable MVR Multicast Vlan MVR Max Multicast Groups :511 MVR Current Multicast Groups MVR Global Query Response Time :5 (tenths of sec) MVR Mode Type :Dynamic Show the membership of MVR groups: Switch(config)#show mvr members MVR Group IP...

  • Page 397: Configuration Scheme

    Configuring Layer 2 Multicast Configuration Examples Figure 7-14 Network Topology for Unknow Multicast and Fast Leave Source Querier Gi1/0/4 VLAN 10 Gi1/0/2 VLAN 10 Host B Receiver 7.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion.
  • Page 398 Configuring Layer 2 Multicast Configuration Examples Figure 7-15 Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to > enable MLD Snooping globally on the L2 FEATURES Multicast > MLD Snooping > Global Config page at the same time.

  • Page 399: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping on port 1/0/2 and port 1/0/4 and enable Fast Leave on port 1/0/2. Figure 7-17 Configure IGMP Snooping on Ports 5) Click to save the settings.

  • Page 400: Example For Configuring Multicast Filtering

    Configuring Layer 2 Multicast Configuration Examples 4) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 5) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Unknown Multicast...

  • Page 401: Network Topology

    Configuring Layer 2 Multicast Configuration Examples 7.4.3 Network Topology As shown in the following network topology, Host B is connected to port 1/0/1, Host C is connected to port 1/0/2 and Host D is connected to port 1/0/3. They are all in VLAN 10. Figure 7-18 Network Topology for Multicast Filtering Source Querier...
  • Page 402 Configuring Layer 2 Multicast Configuration Examples Figure 7-19 Enable IGMP Snooping Globally 3) In the IGMP VLAN Config section, click in VLAN 10 to load the following page. Enable IGMP Snooping for VLAN 10. Figure 7-20 Enable IGMP Snooping for VLAN 10 User Guide...
  • Page 403 Configuring Layer 2 Multicast Configuration Examples 4) Choose the menu L2 FEATURES > Multicast > IGMP Snooping > Port Config to load the following page. Figure 7-21 Enable IGMP Snooping on the Port 5) Choose the menu L2 FEATURES > Multicast > Multicast Filtering > IPv4 Profile and click to load the following page.
  • Page 404 Configuring Layer 2 Multicast Configuration Examples Figure 7-22 Configure Filtering Profile for Host C and Host D 6) Click again to load the following page. Create Profile 2, specify the mode as Deny, bind the profile to port 1/0/1, and specify the filtering multicast IP address as 225.0.0.2.

  • Page 405: Using The Cli

    Configuring Layer 2 Multicast Configuration Examples Figure 7-23 Configure Filtering Profile for Host B 7) Click to save the settings. 7.4.5 Using the CLI 1) Create VLAN 10. Switch#configure Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 2) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
  • Page 406 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#exit 3) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 4) Enable IGMP Snooping Globally. Switch(config)#ip igmp snooping 5) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 6) Enable IGMP Snooping on port 1/0/1-4.
  • Page 407 Configuring Layer 2 Multicast Configuration Examples Switch(config-if)#exit 11) Save the settings. Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Show global settings of IGMP Snooping: Switch(config)#show ip igmp snooping IGMP Snooping :Enable IGMP Version Enable Port:Gi1/0/1-4 Enable VLAN:10 Show all profile bindings: Switch(config)#show ip igmp profile IGMP Profile 1 permit...

  • Page 408: Appendix: Default Parameters

    Configuring Layer 2 Multicast Appendix: Default Parameters Appendix: Default Parameters 8.1 Default Parameters for IGMP Snooping Table 8-1 Default Parameters of IGMP Snooping Function Parameter Default Setting IGMP Snooping Disabled IGMP Version Global Settings of IGMP Snooping Unknown Multicast Groups Forward Header Validation Disabled...

  • Page 409: Default Parameters For Mld Snooping

    Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Static Multicast Group Static Multicast Group Entries None Settings IGMP Accounting Disabled IGMP Accounting and Authentication IGMP Authentication Disabled 8.2 Default Parameters for MLD Snooping Table 8-2 Default Parameters of MLD Snooping Function Parameter Default Setting...

  • Page 410: Default Parameters For Mvr

    Configuring Layer 2 Multicast Appendix: Default Parameters Function Parameter Default Setting Static Multicast Group Static Multicast Group Entries None Settings 8.3 Default Parameters for MVR Table 8-3 Default Parameters of MVR Function Parameter Default Setting Disabled MVR Mode Compatible Global Settings of MVR Multicast VLAN ID Query Response Time 5 tenths of a second...

  • Page 411: Configuring Spanning Tree

    Part 14 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6. Appendix: Default Parameters...

  • Page 412: Spanning Tree

    Configuring Spanning Tree Spanning Tree Spanning Tree 1.1 Overview STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to: ■ Block specific ports of the switches to build a loop-free topology. ■...
  • Page 413 Configuring Spanning Tree Spanning Tree Figure 1-2 STP/RSTP Topology Root bridge Designated port Designated port Root port Root port Designated port Designated port Root port Root port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. The switch with te lowest bridge ID will be the root bridge, and there is only one root bridge in a spanning tree.
  • Page 414 Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked.
  • Page 415 Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected. ■ Blocking In this status, the port receives and sends BPDUs. The other packets are dropped.

  • Page 416: Mstp Concepts

    Configuring Spanning Tree Spanning Tree downstream switch. The value of the accumulated root path cost increases as the BPDU spreads further. BPDU BPDU is a kind of packet that is used to generate and maintain the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on.

  • Page 417: Stp Security

    Configuring Spanning Tree Spanning Tree MST Instance The MST instance is a spanning tree running in the MST region. Multiple MST instances can be established in one MST region and they are independent of each other. As is shown in Figure 1-4, there are three instances in a region, and each instance has its own root bridge.
  • Page 418 Configuring Spanning Tree Spanning Tree » Loop Protect Loop Protect function is used to prevent loops caused by link congestions or link failures. It is recommended to enable this function on root ports and alternate ports. If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur.
  • Page 419 Configuring Spanning Tree Spanning Tree » TC Protect TC Protect function is used to prevent the switch from frequently removing MAC address entries. It is recommended to enable this function on the ports of non-root switches. A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology).

  • Page 420: Stp/Rstp Configurations

    Configuring Spanning Tree STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it’s necessary to make clear the role that each switch plays in a spanning tree.
  • Page 421 Configuring Spanning Tree STP/RSTP Configurations Follow these steps to configure STP/RSTP parameters on ports: 1) In the Port Config section, configure STP/RSTP parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.

  • Page 422: Configuring Stp/Rstp Globally

    Configuring Spanning Tree STP/RSTP Configurations MCheck Select whether to perform MCheck operations on the port. If a port on an RSTP-enabled/MSTP-enabled device is connected to an STP-enabled device, the port will switch to STP compatible mode and send packets in STP format.
  • Page 423 Configuring Spanning Tree STP/RSTP Configurations Figure 2-2 Configuring STP/RSTP Globally Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority for the switch. CIST priority is a parameter used to determine the root bridge for spanning tree.

  • Page 424: Verifying The Stp/Rstp Configurations

    Configuring Spanning Tree STP/RSTP Configurations Max Hops Specify the maximum BPDU counts that can be forwarded in a MST region. The default value is 20. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value. When the hop reaches zero, the switch will discard the BPDU.
  • Page 425 Configuring Spanning Tree STP/RSTP Configurations Figure 2-3 Verifying the STP/RSTP Configurations The STP Summary section shows the summary information of spanning tree : Spanning Tree Displays the status of the spanning tree function. Spanning Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge.

  • Page 426: Using The Cli

    Configuring Spanning Tree STP/RSTP Configurations Designated Bridge Displays the bridge ID of the designated bridge. The designated bridge is the switch that has designated ports. Root Port Displays the root port of the current switch. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed.
  • Page 427 Configuring Spanning Tree STP/RSTP Configurations Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . pri: Specify the Priority for the desired port.

  • Page 428: Configuring Global Stp/Rstp Parameters

    Configuring Spanning Tree STP/RSTP Configurations The following example shows how to enable spanning tree function on port 1/0/3 and configure the port priority as 32 : Switch#configure Switch(config)#interface gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface gigabitEthernet 1/0/3 Interface State Prio...
  • Page 429 Configuring Spanning Tree STP/RSTP Configurations Step 3 spanning-tree timer {[ forward-time forward-time ] [hello-time hello-time ] [ max-age max- age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. forward-time: Specify the value of Forward Delay. It is the interval between the port state transition from listening to learning.

  • Page 430: Enabling Stp/Rstp Globally

    Configuring Spanning Tree STP/RSTP Configurations Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch(config)#show spanning-tree bridge State Mode Priority Hello-Time Fwd-Time Max-Age Hold-Count Max-Hops ------- ----- -------- ------ -------- -------- --------- -------- Enable Rstp 36864 Switch(config)#end Switch#copy running-config startup-config 2.2.3 Enabling STP/RSTP Globally Follow these steps to configure the spanning tree mode as STP/RSTP, and enable spanning tree function globally: Step 1...
  • Page 431 Configuring Spanning Tree STP/RSTP Configurations Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.1w Rapid Spanning Tree Protocol) Latest topology change time: 2006-01-02 10:04:02 Root Bridge Priority : 32768 Address : 00-0a-eb-13-12-ba Local bridge is the root bridge Designated Bridge Priority : 32768...

  • Page 432: Mstp Configurations

    Configuring Spanning Tree MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines ■ Before configuring the spanning tree, it’s necessary to make clear the role that each switch plays in a spanning tree.
  • Page 433 Configuring Spanning Tree MSTP Configurations Follow these steps to configure parameters on ports in CIST: 1) In the Port Config section, configure the parameters on ports. UNIT Select the desired unit or LAGs. Status Enable or disable spanning tree function on the desired port. Priority Specify the Priority for the desired port.
  • Page 434 Configuring Spanning Tree MSTP Configurations P2P Link Select the status of the P2P (Point-to-Point) link to which the ports are connected. During the regeneration of the spanning tree, if the port of P2P link is elected as the root port or the designated port, it can transit its state to forwarding directly.

  • Page 435: Configuring The Mstp Region

    Configuring Spanning Tree MSTP Configurations Port Status Displays the port status. Forwarding: The port receives and sends BPDUs, and forwards user data. Learning: The port receives and sends BPDUs. It also receives user traffic, but doesn’t forward the traffic. Blocking: The port only receives and sends BPDUs. Disconnected: The port has the spanning tree function enabled but is not connected to any device.
  • Page 436 Configuring Spanning Tree MSTP Configurations ■ Configuring the VLAN-Instance Mapping and Switch Priority Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config to load the following page. Figure 3-3 Configuring the VLAN-Instance Mapping Follow these steps to map VLANs to the corresponding instance, and configure the priority of the switch in the desired instance: 1) In the Instance Config section, click Add and enter the instance ID, Priority and corresponding VLAN ID.
  • Page 437 Configuring Spanning Tree MSTP Configurations ■ Configuring Parameters on Ports in the Instance Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-5 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance Port Config section, select the desired instance ID.
  • Page 438 Configuring Spanning Tree MSTP Configurations Port Role Displays the role that the port plays in the desired instance. Root Port: Indicates that the port is the root port in the desired instance. It has the lowest path cost from the root bridge to this switch and is used to communicate with the root bridge.

  • Page 439: Configuring Mstp Globally

    Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page. Figure 3-6 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply.
  • Page 440 Configuring Spanning Tree MSTP Configurations Forward Delay Specify the interval between the port state transition from listening to learning. The default value is 15. It is used to prevent the network from causing temporary loops during the regeneration of spanning tree. The interval between the port state transition from learning to forwarding is also the Forward Delay.

  • Page 441: Verifying The Mstp Configurations

    Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-7 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function.

  • Page 442: Using The Cli

    Configuring Spanning Tree MSTP Configurations Regional Root Bridge Displays the bridge ID of the root bridge in IST. Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST.
  • Page 443 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree Enable spanning tree function for the desired port. Step 4 spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST.
  • Page 444 Configuring Spanning Tree MSTP Configurations Step 6 show spanning-tree interface [ fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel lagid ] [ edge | ext-cost | int-cost | mode | p2p | priority | role | state | status ] (Optional) View the information of all ports or a specified port.

  • Page 445: Configuring The Mstp Region

    Configuring Spanning Tree MSTP Configurations 3.2.2 Configuring the MSTP Region ■ Configuring the MST Region Follow these steps to configure the MST region and the priority of the switch in the instance: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mst instance instance-id priority pri Configure the priority of the switch in the instance.
  • Page 446 Configuring Spanning Tree MSTP Configurations Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. This example shows how to create an MST region, of which the region name is R1, the revision level is 100 and VLAN 2-VLAN 6 are mapped to instance 5: Switch#configure Switch(config)#spanning-tree mst configuration...
  • Page 447 Configuring Spanning Tree MSTP Configurations Step 3 spanning-tree mst instance instance-id {[ port-priority pri ] | [ cost cost ]} Configure the priority and path cost of ports in the specified instance. instance-id: Specify the instance ID, the valid values ranges from 1 to 8. pri: Specify the Priority for the port in the corresponding instance.

  • Page 448: Configuring Global Mstp Parameters

    Configuring Spanning Tree MSTP Configurations Interface Prio Cost Role Status ----------- ------ ------ -------- --------- ------- Gi1/0/3 144 200 LnkDwn N/A Switch(config-if)#end Switch#copy running-config startup-config 3.2.3 Configuring Global MSTP Parameters Follow these steps to configure the global MSTP parameters of the switch: Step 1 configure Enter global configuration mode.
  • Page 449 Configuring Spanning Tree MSTP Configurations Step 5 spanning-tree max-hops value (Optional) Specify the maximum BPDU hop counts that can be forwarded in a MST region. A switch receives BPDU, then decrements the hop count by one and generates BPDUs with the new value.

  • Page 450: Enabling Spanning Tree Globally

    Configuring Spanning Tree MSTP Configurations 3.2.4 Enabling Spanning Tree Globally Follow these steps to configure the spanning tree mode as MSTP and enable spanning tree function globally: Step 1 configure Enter global configuration mode. Step 2 spanning-tree mode mstp Configure the spanning tree mode as MSTP. mstp: Specify the spanning tree mode as MSTP.
  • Page 451 Configuring Spanning Tree MSTP Configurations Priority : 32768 Address : 00-0a-eb-13-23-97 Regional Root Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Local bridge is the regional root bridge Local Bridge Priority : 36864 Address : 00-0a-eb-13-12-ba Interface State Prio Ext-Cost Int-Cost Edge Mode Role Status...

  • Page 452: Stp Security Configurations

    Configuring Spanning Tree STP Security Configurations STP Security Configurations 4.1 Using the GUI Choose the menu L2 FEATURES > Spanning Tree > STP Security to load the following page. Figure 4-1 Configuring the Port Protect Configure the Port Protect features for the selected ports, and click Apply. UNIT Select the desired unit or LAGs for configuration.

  • Page 453: Using The Cli

    Configuring Spanning Tree STP Security Configurations Root Protect Enable or disable Root Protect. It is recommended to enable this function on the designated ports of the root bridge. Switches with faulty configurations may produce a higher-priority BPDUs than the root bridge’s, and this situation will cause recalculation of the spanning tree.
  • Page 454 Configuring Spanning Tree STP Security Configurations Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 spanning-tree guard loop (Optional) Enable Loop Protect.
  • Page 455 Configuring Spanning Tree STP Security Configurations Step 8 spanning-tree bpduflood (Optional) Enable BPDU Forward. This function only takes effect when the spanning tree function is disabled globally. By default, it is enabled. With BPDU forward enabled, the port can still forward spanning tree BPDUs when the spanning tree function is disabled.

  • Page 456: Configuration Example For Mstp

    Configuring Spanning Tree Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to implement load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. 5.1 Network Requirements As shown in figure 5-1, the network consists of three switches.

  • Page 457: Using The Gui

    Configuring Spanning Tree Configuration Example for MSTP Figure 5-2 VLAN-Instance Mapping Switch A Gi1/0/1 Gi1/0/1 Gi1/0/1 Switch B Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable MSTP function globally in all the switches.
  • Page 458 Configuring Spanning Tree Configuration Example for MSTP Figure 5-3 Configure the Global MSTP Parameters of the Switch 2) Choose the menu L2 FEATURES > Spanning Tree > STP Config > Port Config to load the following page. Enable spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
  • Page 459 Configuring Spanning Tree Configuration Example for MSTP Figure 5-5 Configuring the MST Region 4) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Config. Click Add, map VLAN101-VLAN103 to instance 1 and set the priority as 32768; map VLAN104-VLAN106 to instance 2 and set the priority as 32768.
  • Page 460 Configuring Spanning Tree Configuration Example for MSTP Figure 5-7 Configure the Path Cost of Port 1/0/1 In Instance 1 6) Click to save the settings. ■ Configurations for Switch B 1) Choose the menu L2 FEATURES > Spanning Tree > STP Config > STP Config to load the following page.
  • Page 461 Configuring Spanning Tree Configuration Example for MSTP Figure 5-9 Enable Spanning Tree Function on Ports 3) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Click Apply.
  • Page 462 Configuring Spanning Tree Configuration Example for MSTP 5) Choose the menu L2 FEATURES > Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/2 in instance 2 as 300000 so that port 1/0/1 of switch A can be selected as the designated port. Figure 5-12 Configure the Path Cost of Port 1/0/2 in Instance 2 6) Click to save the settings.
  • Page 463 Configuring Spanning Tree Configuration Example for MSTP 2) Choose the menu L2 FEATURES > Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings. Click Apply. Figure 5-14 Enable Spanning Tree Function on Ports 3) Choose the menu Spanning Tree >...
  • Page 464 Configuring Spanning Tree Configuration Example for MSTP 5.4 Using the CLI ■ Configurations for Switch A 1) Configure the spanning tree mode as MSTP, then enable spanning tree function globally. Switch#configure Switch(config)#spanning-tree mode mstp Switch(config)#spanning-tree 2) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 300000.
  • Page 465 Configuring Spanning Tree Configuration Example for MSTP 2) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/2 in instance 2 as 300000. Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 2 cost 300000 Switch(config-if)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#spanning-tree...
  • Page 466 Configuring Spanning Tree Configuration Example for MSTP 3) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2; configure the priority of Switch C in instance 2 as 0 to set it as the root bridge in instance 2: Switch(config)#spanning-tree mst configuration Switch(config-mst)#name 1 Switch(config-mst)#revision 100...
  • Page 467 Configuring Spanning Tree Configuration Example for MSTP Interface Prio Cost Role Status --------- ---- -------- ------ ----- ---- Gi1/0/1 300000 Root Gi1/0/2 200000 Altn Verify the configurations of Switch A in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address...
  • Page 468 Configuring Spanning Tree Configuration Example for MSTP Local bridge is the root bridge Designated Bridge Priority Address : 00-0a-eb-13-12-ba Local Bridge Priority Address : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ---------- ---- -------- ------- -------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg Verify the configurations of Switch B in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2...
  • Page 469 Configuring Spanning Tree Configuration Example for MSTP ■ Switch C Verify the configurations of Switch C in instance 1: Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority Address : 00-0a-eb-13-12-ba Internal Cost : 200000 Root Port Designated Bridge Priority Address : 00-0a-eb-13-12-ba...
  • Page 470 Configuring Spanning Tree Configuration Example for MSTP Local Bridge Priority Address : 3c-46-d8-9d-88-f7 Interface Prio Cost Role Status ----------- ------ --------- ------- ---------- Gi1/0/1 200000 Desg Gi1/0/2 200000 Desg User Guide...
  • Page 471 Configuring Spanning Tree Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table. Table 6-1 Default Settings of the Global Parameters Parameter Default Setting Spanning-tree Disabled Mode CIST Priority 32768 Hello Time 2 seconds Max Age 20 seconds...
  • Page 472 Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Priority 32768 Port Priority Path Cost Auto Table 6-4 Default Settings of the STP Security Parameter Default Setting Loop Protect Disabled Root Protect Disabled TC Guard Disabled BPDU Protect Disabled BPDU Filter Disabled BPDU Forward Enabled...
  • Page 473 Part 15 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Examples 7. Appendix: Default Parameters...
  • Page 474 Configuring LLDP LLDP LLDP 1.1 Overview LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
  • Page 475 Configuring LLDP LLDP Configurations LLDP Configurations T configure LLDP function, follow the steps: 1) Configure the LLDP feature globally. 2) Configure the LLDP feature for the port. 2.1 Using the GUI 2.1.1 Configuring LLDP Globally Choose the L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page.
  • Page 476 Configuring LLDP LLDP Configurations Follow these steps to configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. You can also enable the switch to forward LLDP messages when LLDP function is disabled. Click Apply. LLDP Enable LLDP function globally. LLDP (Optional) Enable the switch to forward LLDP messages when LLDP function is Forwarding...
  • Page 477 Configuring LLDP LLDP Configurations 2.1.2 Configuring LLDP For the Port Choose th menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select one or more ports to configure.
  • Page 478 Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. The switch supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled.
  • Page 479 Configuring LLDP LLDP Configurations Step 3 lldp forward_message (Optional) Enable the switch to forward LLDP messages when LLDP function is disabled. Step 4 lldp hold-multiplier multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. This parameter is a multiplier on the Transmit Interval that determines the actual TTL (Time To Live) value used in an LLDP packet.
  • Page 480 Configuring LLDP LLDP Configurations Switch(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 Switch(config)#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled Tx Interval: 30 seconds TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4...
  • Page 481 Configuring LLDP LLDP Configurations Step 7 show lldp interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Display LLDP configuration of the corresponding port. Step 8 Return to Privileged EXEC Mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure the port 1/0/1.
  • Page 482 Configuring LLDP LLDP Configurations Link-Aggregation MAC-Physic Max-Frame-Size Power Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 483 Configuring LLDP LLDP-MED Configurations LLDP-MED Configurations To configure LLDP-MED function, follow the steps: 1) Enable LLDP feature globally and configure the LLDP parametres for the ports. 2) Configuring LLDP-MED fast repeat count globally. 3) Enable and configure the LLDP-MED feature on the port. Configuration Guidelines LLDP-MED is used together with Auto VoIP to implement VoIP access.
  • Page 484 Configuring LLDP LLDP-MED Configurations Device Class Display the current device class. LLDP-MED defines two device classes, Network Connectivity Device and Endpoint Device. The switch is a Network Connectivity device. 3.1.2 Configuring LLDP-MED for Ports Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config to load the following page.
  • Page 485 Configuring LLDP LLDP-MED Configurations Figure 3-3 LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the endpoint devices. Location Used to assign the location identifier information to the Endpoint devices. Identification If this option is selected, you can configure the emergency number and the detailed address of the endpoint device in the Location Identification Parameters...
  • Page 486 Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details.
  • Page 487 Configuring LLDP LLDP-MED Configurations TTL Multiplier: Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: LLDP-MED Fast Start Repeat Count: Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
  • Page 488 Configuring LLDP LLDP-MED Configurations Step 6 Return to Privileged EXEC Mode. Step 7 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDP- MED TLVs included in the outgoing LLDP packets. Switch(config)#lldp Switch(config)#lldp med-fast-count 4 Switch(config)#interface gigabitEthernet 1/0/1...
  • Page 489 Configuring LLDP LLDP-MED Configurations LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Location Identification Extended Power Via MDI Inventory Management Switch(config)#end Switch#copy running-config startup-config User Guide...
  • Page 490 Configuring LLDP Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. 4.1 Using GUI 4.1.1 Viewing LLDP Device Info ■ Viewing the Local Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Local Info to load the following page.
  • Page 491 Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information.
  • Page 492 Configuring LLDP Viewing LLDP Settings ■ Viewing the Neighbor Info Choose the menu L2 FEATURES > LLDP > LLDP Config > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
  • Page 493 Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu L2 FEATURES > LLDP > LLDP Config > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
  • Page 494 Configuring LLDP Viewing LLDP Settings Total Ageouts Displays the latest number of neighbors that have aged out on the local device. 3) In the Neighbors Statistics section, view the statistics of the corresponding port. Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port.
  • Page 495 Configuring LLDP Viewing LLDP-MED Settings Viewing LLDP-MED Settings 5.1 Using GUI Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Local Info to load the following page. ■ Viewing the Local Info Figure 5-1 LLDP-MED Local Info Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs.
  • Page 496 Configuring LLDP Viewing LLDP-MED Settings Application Displays the supported applications of the local device. Type Unknown Policy Displays the unknown location settings included in the network policy TLV. Flag VLAN tagged Displays the VLAN Tag type of the applications, tagged or untagged. Media Policy Displays the 802.1Q VLAN ID of the port.
  • Page 497 Configuring LLDP Viewing LLDP-MED Settings Location Data Displays the location type of the neighbor device. Format Power Type Displays the power type of the neighbor device. Information View more LLDP-MED details of the neighbor device. 5.2 Using CLI ■ Viewing the Local Info show lldp local-information interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port View the LLDP details of a specific port or all the ports on the local device.
  • Page 498 Configuring LLDP Configuration Examples Configuration Examples 6.1 Example for LLDP 6.1.1 Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance.
  • Page 499 Configuring LLDP Configuration Examples Figure 6-2 LLDP Global Config 2) Choose the menu L2 FEATURES > LLDP > LLDP Config > Port Config to load the following page. Set the Admin Status of port Gi1/0/1 as Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.4 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
  • Page 500 Configuring LLDP Configuration Examples Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fast- count 3 2) Set the Admin Status of port Gi1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#lldp receive...
  • Page 501 Configuring LLDP Configuration Examples Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID Protocol-VLAN-ID VLAN-Name Link-Aggregation MAC-Physic Max-Frame-Size Power LLDP-MED Status: Disabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management View the Local Info Switch_A#show lldp local-information interface gigabitEthernet 1/0/1 LLDP local Information: gigabitEthernet 1/0/1: Chassis type:...
  • Page 502 Configuring LLDP Configuration Examples TTL: System name: T2600G-28TS System description: JetStream 24-Port Gigabit L2 Managed Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.226 Management address interface type: IfIndex Management address interface ID: Management address OID: Port VLAN ID(PVID):...
  • Page 503 Hardware Revision: T2600G-28TS 3.0 Firmware Revision: Reserved Software Revision: 3.0.0 Build 20170918 Rel.71414(s) Serial Number: Reserved Manufacturer Name: TP-Link Model Name: T2600G-28TS 3.0 Asset ID: unknown View the Neighbor Info Switch_A#show lldp neighbor-information interface gigabitEthernet 1/0/1 LLDP Neighbor Information: gigabitEthernet 1/0/1:...
  • Page 504 Configuring LLDP Configuration Examples System name: T1600G-52PS System description: JetStream 48-Port Gigabit Smart PoE Switch with 4 SFP Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.1 Management address interface type: IfIndex Management address interface ID: Management address OID:...
  • Page 505 Configuring LLDP Configuration Examples 6.2 Example for LLDP-MED 6.2.1 Network Requirements As the following figure shows, an IP phone and a PC are both connected to port 1/0/1 of the switch. It is required that the voice data stream is sent to VLAN2 and other untagged data stream is sent to the default VLAN1.
  • Page 506 Configuring LLDP Configuration Examples Figure 6-2 VLAN Config 2) Choose the menu QoS > Auto VoIP to load the following page. Select port 1/0/1, configure the interface mode as VLAN ID and set the VLAN ID value as 2. Click Apply. User Guide...
  • Page 507 Configuring LLDP Configuration Examples Figure 6-3 Auto VoIP Config 3) Choose the menu L2 FEATURES > LLDP > LLDP Config > Global Config to load the following page. Enable LLDP globally and click Apply. Figure 6-4 LLDP Global Config 4) Choose the menu L2 FEATURES > LLDP > LLDP Config >Global Config > Port Config to load the following page.
  • Page 508 Configuring LLDP Configuration Examples Figure 6-5 LLDP-MED Config 5) Click to save the settings. 6.2.4 Using CLI 1) Create VLAN2 and add untagged port 1/0/1 to VLAN2. Switch#configure Switch(config)#vlan 2 Switch(config-vlan)#name voice_vlan Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switch general allowed vlan 2 untagged Switch(config-if)#exit 2) Enable Auto VoIP globally.
  • Page 509 Configuring LLDP Configuration Examples 5) Enable LLDP-MED on port 1/0/1. Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#lldp med-status Switch(config-if)#end Switch#copy running-config startup-config Verify the Configurations View VLAN settings: Switch#show vlan VLAN Name Status Ports ----- -------------------- --------- ---------------------------------------- System-VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16,...
  • Page 510 Configuring LLDP Configuration Examples View global LLDP settings: Switch_A#show lldp LLDP Status: Enabled LLDP Forward Message: Disabled View LLDP-MED settings on port 1/0/1: Switch_A#show lldp interface gigabitEthernet 1/0/1 LLDP interface config: gigabitEthernet 1/0/1: LLDP-MED Status: Enabled Status ------ Network Policy Location Identification Extended Power Via MDI Inventory Management...
  • Page 511 Configuring LLDP Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables. Default LLDP Settings Table 7-1 Default LLDP Settings Parameter Default Setting LLDP Disabled LLDP Forward Message Disabled Transmit Interval 30 seconds Hold Multiplier Transmit Delay 2 seconds Reinitialization Delay...
  • Page 512 Part 16 Configuring L2PT CHAPTERS 1. Overview 2. L2PT Configuration 3. Configuration Example 4. Appendix: Default Parameters...
  • Page 513 Configuring L2PT Overview Overview L2PT (Layer 2 Protocol Tunneling) is a feature for service providers to transparently transmit Layer 2 protocol data units (PDUs) between customer networks at different locations through a public ISP network. Some terminology that is used in this section is defined as follows: ■...
  • Page 514 Configuring L2PT Overview 1) Upon receiving a Layer 2 PDU from CE1 via the UNI port, PE1 replaces the destination MAC address of the PDU with a special multicast MAC address (01:00:0c:cd:cd: d0) and then sends the PDU to the ISP network via the NNI port. 2) The ISP network identifies the PDU and directly forwards it to the other end.
  • Page 515 Configuring L2PT L2PT Configuration L2PT Configuration 2.1 Using the GUI Choose the menu L2 FEATURES > L2PT to load the following page. Figure 2-1 Configuring L2PT Follow these steps to configure L2PT: 1) In the L2PT Config section, enable L2PT globally and click Apply. 2) In the Port Config section, configure the port that is connected to the customer network as a UNI port and specify your desired protocols on the port.
  • Page 516 Configuring L2PT L2PT Configuration Protocol Specify the Layer 2 protocol types of the packets that can be transparently transmitted on the selected port: STP: Enable protocol tunneling for the STP packets. GVRP: Enable protocol tunneling for the GVRP packets. 01000CCCCCCC: Enable protocol tunneling for the packets with their destination MAC address as 01000CCCCCCC, which includes CDP, VTP, PAgP and UDLD.
  • Page 517 Configuring L2PT L2PT Configuration Step 2 l2protocol-tunnel Enable the L2PT feature globally. Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-id-list } Enter interface configuration mode.
  • Page 518 Configuring L2PT L2PT Configuration Step 10 Return to privileged EXEC mode. Step 11 copy running-config startup-config Save the settings in the configuration file. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own.
  • Page 519 Configuring L2PT L2PT Configuration Switch(config-if)#l2protocol-tunnel type nni Switch(config-if)#show l2protocol-tunnel interface gigabitEthernet 1/0/5 Interface Type Protocol Threshold --------- ---- -------- --------- ---- Gi1/0/5 --,--,--,--,-- --,--,--,--,-- Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 520 Configuring L2PT Configuration Example Configuration Example 3.1 Network Requirements As shown below, the two branches of a company are connected through the ISP network, and they want to achieve spanning tree calculation by exchanging Layer 2 STP packets with each other. To meet this requirement, the ISP network needs to transparently transmit the STP packets between the two customer networks.
  • Page 521 Configuring L2PT Configuration Example 1) Choose the menu L2 FEATURES > L2PT to load the following page. Enable the L2PT feature globally and click Apply. 2) Specify port 1/0/1 as an NNI port and click Apply. Specify port 1/0/2 as a UNI port for the STP and set the threshold as 1000.
  • Page 522 Configuring L2PT Configuration Example Switch_A(config-if)#end Switch_A#copy running-config startup-config Verify the Configuration Verify the global configuration: Switch_A#show l2protocol-tunnel global l2protocol-tunnel State: Enable Verify the configuration on port 1/0/1: Switch_A#show l2protocol-tunnel interface gigabitEthernet 1/0/1 Interface Type Protocol Threshold --------- ---- -------- --------- ---- Gi1/0/1 --,--,--,--,--...
  • Page 523 Configuring L2PT Appendix: Default Parameters Appendix: Default Parameters Default settings of L2PT are listed in the following table. Table 4-1 Default Settings of L2PT Parameter Defualt Setting L2PT Config Layer 2 Protocol Tunneling Disable Port Config Type None Protocol None Threshold None User Guide...
  • Page 524 Part 17 Configuring PPPoE ID Insertion CHAPTERS 1. Overview 2. PPPoE ID Insertion Configuration 3. Appendix: Default Parameters...
  • Page 525 Configuring PPPoE ID Insertion Overview Overview In common PPPoE dialup mode, when users dial up through PPPoE, they can access the network as long as their accounts are authenticated successfully on the RADIUS server. As a result, the illegal users can embezzle the accounts to access the Internet. PPPoE ID Insertion provides a way to resolve this problem.
  • Page 526 Configuring PPPoE ID Insertion PPPoE ID Insertion Configuration PPPoE ID Insertion Configuration 2.1 Using the GUI Choose the menu L2 FEATURES > PPPoE to load the following page. Figure 2-1 Configuring PPPoE ID Insertion Follow these steps to configure PPPoE ID-Insertion: 1) In the PPPoE ID Insertion section, enable PPPoE ID Insertion and click Apply.
  • Page 527 Configuring PPPoE ID Insertion PPPoE ID Insertion Configuration Circuit-ID Enable or disable the Circuit-ID Insertion feature. With this option enabled, the switch will insert a Circuit ID to the received PPPoE Discovery packet on this port. Circuit-ID Type Select the type of the Circuit ID. The following options are provided: IP: The circuit ID includes the following three parts: the source MAC address of the received packet, the IP address of the switch and the port number.
  • Page 528 Configuring PPPoE ID Insertion PPPoE ID Insertion Configuration Step 5 pppoe circuit-id type { mac | ip | udf [ Value ] | udf-only [ Value ] } Specify the type of the Circuit ID. The following options are provided: mac: The source MAC address of the packet, the MAC address of the switch and the port number will be used to encode the Circuit-ID option.
  • Page 529 Configuring PPPoE ID Insertion PPPoE ID Insertion Configuration Switch(config-if)#show pppoe id-insertion interface gigabitEthernet 1/0/1 Port Circuit-ID C-ID Type C-ID Value(UDF) Remote-ID R-ID Value ------- ----------- ----------- ---------------------- ----------- --------------- Gi1/0/1 Enabled UDF-ONLY Enabled host1 Switch(config-if)#end Switch#copy running-config startup-config Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own.
  • Page 530 Configuring PPPoE ID Insertion Appendix: Default Parameters Appendix: Default Parameters Default settings of L2PT are listed in the following table. Table 3-1 PPPoE ID Insertion Parameter Default Setting Global Config PPPoE ID Insertion Disabled Port Config Circuit-ID Disabled Circuit-ID Type UDF Value None Remote-ID...
  • Page 531 Part 18 Configuring Layer 3 Interfaces CHAPTERS 1. Overview 2. Layer 3 Interface Configurations 3. Configuration Example 4. Appendix: Default Parameters...
  • Page 532 Configuring Layer 3 Interfaces Overview Overview Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into Layer 2 interfaces and Layer 3 interfaces. ■ Layer 2 interfaces are the physical ports on the switch panel. They forward packets based on MAC address table.
  • Page 533 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Layer 3 Interface Configurations To complete IPv4 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv4 parameters of the created interface 3) View detailed information of the created interface To complete IPv6 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv6 parameters of the created interface...
  • Page 534 Configuring Layer 3 Interfaces Layer 3 Interface Configurations IPv6 Routing (Optional) Enable IPv6 routing function globally for all Layer 3 interfaces. It is disabled by default. 2) In the Interface Config section, click to load the following page, and configure the corresponding parameters for the Layer 3 interface.
  • Page 535 Configuring Layer 3 Interfaces Layer 3 Interface Configurations 2.1.2 Configuring IPv4 Parameters of the Interface Figure 2-1 you can view the corresponding interface you have created in the Interface Config section. On the corresponding interface entry, click Edit IPv4 to load the following page and edit the IPv4 parameters of the interface.
  • Page 536 Configuring Layer 3 Interfaces Layer 3 Interface Configurations DHCP Option 12 If you select DHCP as the IP Address Mode, configure the Option 12 here. DHCP Option 12 is used to specify the client’s name. 2) In the Secondary IP Table section, click to add a secondary IP for the specified interface which allows you to have two logical subnets.
  • Page 537 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Figure 2-5 Configuring the IPv6 Parameters 1) In the Modify IPv6 Interface section, enable IPv6 feature for the interface and configure the corresponding parameters . Then click Apply. Interface ID Displays the interface ID. Admin Status Enable the Layer 3 capabilities for the interface.
  • Page 538 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Status Displays the status of the link-local address. An IPv6 address cannot be used before pass the DAD (Duplicate Address Detection), which is used to detect the address conflicts. In the DAD process, the IPv6 address may in three different status: Normal: Indicates that the link-local address passes the DAD and can be used normally.
  • Page 539 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Prefix Length Configure the prefix length of the global address. 3) View the global address entry in the Global Address Config. Global Address View or modify the global address. Prefix Length View or modify the prefix length of the global address. Type Displays the configuration mode of the global address.
  • Page 540 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Figure 2-6 Viewing the detail information of the interface 2.2 Using the CLI 2.2.1 Creating a Layer 3 Interface Follow these steps to create a Layer 3 interface. You can create a VLAN interface, a loopback interface, a routed port or a port-channel interface according to your needs.
  • Page 541 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Step 2 Create a VLAN interface: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Create a loopback interface: interface loopback { id } Specify the ID of the loopback interface, ranging from 1 to 64.
  • Page 542 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Switch#copy running-config startup-config 2.2.2 Configuring IPv4 Parameters of the Interface Follow these steps to configure the IPv4 parameters of the interface. Step 1 configure Enter global configuration mode. Step 2 interface { interface-type } { interface-id } Enter Layer 3 interface configuration mode.
  • Page 543 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Switch(config-if)#show ip interface brief Interface IP-Address Method Status Protocol Shutdown --------- ---------- ------ ------ -------- -------- Gi1/0/1 192.168.0.100/24 Static Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring IPv6 Parameters of the Interface Follow these steps to configure the IPv6 parameters of the interface. Step 1 configure Enter global configuration mode.
  • Page 544 Configuring Layer 3 Interfaces Layer 3 Interface Configurations Step 5 Configure the IPv6 global address for the specified interface: Automatically configure the interface’s global IPv6 address via RA message: ipv6 address ra Configure the interface’s global IPv6 address according to the address prefix and other configuration parameters from its received RA (Router Advertisement) message.
  • Page 545 Configuring Layer 3 Interfaces Layer 3 Interface Configurations ICMP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable, number of DAD attempts: 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch(config-if)#end Switch#copy running-config startup-config...
  • Page 546 Configuring Layer 3 Interfaces Configuration Example Configuration Example 3.1 Network Requirement The administrator need to allow the hosts in VLANs can access the internet. The topology is shown as below. Figure 3-1 Network Topology Router Gi 1/0/2 Gi 1/0/10 Switch VLAN 2 VLAN 10 3.2 Configuration Scheme For the hosts in VLANs are seperated at layer 2.
  • Page 547 Configuring Layer 3 Interfaces Configuration Example 1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 2. Add port 1/0/2 to VLAN 2 with its egress rule as Untagged. Figure 3-2 Create VLAN 2 2) Go to L3 FEATURES > Interface to enable IPv4 routing (enabled by default), then click to create VLAN interface 2.
  • Page 548 Configuring Layer 3 Interfaces Configuration Example Switch(config)#vlan 2 Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 2 untagged Switch(config-if)#exit 2) Create VLAN interface 2 for VLAN 2. Configure the IP address of VLAN interface 2 as 192.168.2.1. Switch(config)#interface vlan 2 Switch(config-if)#ip address 192.168.2.1 255.255.255.0 Switch(config-if)#end Switch#copy running-config startup-config...
  • Page 549 Configuring Layer 3 Interfaces Appendix: Default Parameters Appendix: Default Parameters Default settings of interface are listed in the following tables. Table 4-1 Default Settings of Routing Config Parameter Default Setting IPv4 Routing Enabled IPv6 Routing Disabled Table 4-2 Configuring the IPv4 Parameters of the Interface Parameter Default Setting Interface ID...
  • Page 550 Part 19 Configuring Routing CHAPTERS 1. Overview 2. IPv4 Static Routing Configuration 3. IPv6 Static Routing Configuration 4. Viewing Routing Table 5. Example for Static Routing...
  • Page 551 Configuring Routing Overview Overview Routing table is used for a Layer 3 device (in this configuration guide, it means the switch) to forward packets to the correct destination. When the switch receives packets of which the source IP address and destination IP address are in different subnets, it will check the routing table, find the correct outgoing interface then forward the packets.
  • Page 552 Configuring Routing IPv4 Static Routing Configuration IPv4 Static Routing Configuration 2.1 Using the GUI Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing and click to load the following page. Figure 2-1 Configuring the IPv4 Static Routing Configure the corresponding parameters to add an IPv4 static routing entry. Then click Create.
  • Page 553 Configuring Routing IPv4 Static Routing Configuration 2.2 Using the CLI Follow these steps to create an IPv4 static route. Step 1 configure Enter global configuration mode. Step 2 ip route { dest-address } { mask } { next-hop-address } [ distance ] Add an IPv4 static route.
  • Page 554 Configuring Routing IPv6 Static Routing Configuration IPv6 Static Routing Configuration 3.1 Using the GUI Choose the menu L3 FEATURES > Static Routing > IPv6 Static Routing > IPv6 Static Routing Table and click to load the following page. Figure 3-1 Configuring the IPv6 Static Routing Configure the corresponding parameters to add an IPv6 static routing entry.
  • Page 555 Configuring Routing IPv6 Static Routing Configuration 3.2 Using the CLI Follow these steps to enable IPv6 routing function and create an IPv6 static route. Step 1 configure Enter global configuration mode. Step 2 ipv6 routing Enable the IPv6 routing function on the specified Layer 3 interface. Step 3 ipv6 route { ipv6-dest-address } { next-hop-address } [ distance ] Add an IPv6 static route.
  • Page 556 Configuring Routing Viewing Routing Table Viewing Routing Table You can view the routing tables to learn about the network topology. The switch supports IPv4 routing table and IPv6 routing table. 4.1 Using the GUI 4.1.1 Viewing IPv4 Routing Table Choose the menu L3 FEATURES > Routing Table > IPv4 Routing Table to load the following page.
  • Page 557 Configuring Routing Viewing Routing Table 4.1.2 Viewing IPv6 Routing Table Choose the menu L3 FEATURES> Routing Table > IPv6 Routing Table to load the following page. Figure 4-2 Viewing IPv6 Routing Table View the IPv6 routing entries. Protocol Displays the type of the routing entry. Connected: The destination network is directed connected to the switch.
  • Page 558 Configuring Routing Viewing Routing Table 4.2.2 Viewing IPv6 Routing Table On privileged EXEC mode or any other configuration mode, you can use the following command to view IPv6 routing table: show ipv6 route [ static | connected ] View the IPv6 route entries of the specified type. If not specified, all types of route entries will be displayed.
  • Page 559 Configuring Routing Example for Static Routing Example for Static Routing 5.1 Network Requirements As shown below, Host A and Host B are on different network segments. To meet business needs, Host A and Host B need to establish a connection without using dynamic routing protocols to ensure stable connectivity.
  • Page 560 Configuring Routing Example for Static Routing Figure 5-2 Create a Routed Port Gi1/0/1 for Switch A Figure 5-3 Create a Routed Port Gi1/0/2 for Switch A 2) Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing to load the following page.
  • Page 561 Configuring Routing Example for Static Routing mask as 255.255.255.0 and the next hop as 10.1.10.2. For switch B, add a static route entry with the destination as 10.1.1.0, the subnet mask as 255.255.255.0 and the next hop as 10.1.10.1. Figure 5-4 Add a Static Route for Switch A 5.4 Using the CLI The configurations of Switch A and Switch B are similar.
  • Page 562 Configuring Routing Example for Static Routing Switch_A#configure Switch_A(config)#ip route 10.1.2.0 255.255.255.0 10.1.10.2 Switch_A(config)#end Switch_A#copy running-config startup-config Verify the Configurations ■ Switch A Verify the static routing configuration: Switch_A#show ip route Codes: C - connected, S - static * - candidate default 10.1.1.0/24 is directly connected, Vlan10 10.1.10.0/24 is directly connected, Vlan20 10.1.2.0/24 [1/0] via 10.1.10.2, Vlan20...
  • Page 563 Configuring Routing Example for Static Routing Ping statistics for 10.1.2.1: Packets: Sent = 4 , Received = 4 , Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 1ms , Maximum = 3ms , Average = 1ms User Guide...
  • Page 564 Part 20 Configuring DHCP Service CHAPTERS 1. DHCP 2. DHCP Server Configuration 3. DHCP Relay Configuration 4. DHCP L2 Relay Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
  • Page 565 Configuring DHCP Service DHCP DHCP 1.1 Overview DHCP (Dynamic Host Configuration Protocol) is widely used to automatically assign IP addresses and other network configuration parameters to network devices, enhancing the utilization of IP address. 1.2 Supported Features The supported DHCP features of the switch include DHCP Server, DHCP Relay and DHCP L2 Relay.
  • Page 566 DHCP class on the DHCP server to identify the Option 82 payload. TP-Link switches preset a default circuit ID and remote ID in TLV (Type, Length, and Value) format. You can also configure the format to include Value only and customize the Value.
  • Page 567 Configuring DHCP Service DHCP *Format Indicates the packet format of the sub-option field. Two options are available: ■ Normal: Indicates the field consists of three parts: Type, Length, and Value (TLV). ■ Private: Indicates the field consists of the value only. *Type A one-byte field indicating whether the Value field is customized or not.
  • Page 568 Configuring DHCP Service DHCP can assign IP addresses that are in the same subnet with the Relay Agent IP Address to the clients. The switch supports specifying a DHCP server for multiple Layer 3 interfaces, which makes it possible to assign IP addresses to clients in different subnets from the same DHCP server.
  • Page 569 Configuring DHCP Service DHCP Figure 1-3 Application Scenario of DHCP VLAN Relay DHCP Server DHCP Relay DHCP Clients DHCP Clients Default Agent Interface: VLAN 20 VLAN 10 192.168.2.1/24 192.168.2.0/24 192.168.2.0/24 Note: • If the VLAN already has an IP address, the switch will use the IP address of the VLAN as the relay agent IP address.
  • Page 570 Configuring DHCP Service DHCP Server Configuration DHCP Server Configuration To complete DHCP server configuration, follow these steps: 1) Enable the DHCP Server feature on the switch. 2) Configure DHCP Server Pool. 3) (Optional) Manually assign static IP addresses for some clients. 2.1 Using the GUI 2.1.1 Enabling DHCP Server Choose the menu L3 FEATURES >...
  • Page 571 Configuring DHCP Service DHCP Server Configuration Option 60 (Optional) Specify the Option 60 for device identification. Mostly it is used for the scenarios that the APs (Access Points) apply for different IP addresses from different servers according to the needs. If an AP requests Option 60, the server will respond a packet containing the Option 60 configured here.
  • Page 572 Configuring DHCP Service DHCP Server Configuration Starting IP Specify the starting IP address and ending IP address of the excluded IP Address/ Ending IP address range. If the starting IP address and ending IP address are the same, Address the server excludes only one IP address. When configuring DHCP Server, you need to reserve certain IP addresses for each subnet, such as the default gateway address, broadcast address and DNS server address.
  • Page 573 Configuring DHCP Service DHCP Server Configuration Default Gateway (Optional) Configure the default gateway of the DHCP server pool. You can create up to 8 default gateways for each DHCP server pool. If you leave this field blank, the DHCP server will not assign this parameter to clients. In general, you can configure the IP address of the VLAN interface as the default gateway address.
  • Page 574 Configuring DHCP Service DHCP Server Configuration Choose the menu L3 FEATURES > DHCP Service >DHCP Server > Manual Binding and click to load the following page. Figure 2-4 Manual Binding Select a pool name and enter the IP address to be bound. Select a binding mode and finish the configuration accordingly.
  • Page 575 Configuring DHCP Service DHCP Server Configuration Step 3 ip dhcp server extend-option vendor-class-id vendor (Optional) Specify the Option 60 for server identification. If a client requests Option 60, the server will respond a packet containing the Option 60 configured here. And then the client will compare the received Option 60 with its own.
  • Page 576 Configuring DHCP Service DHCP Server Configuration Step 10 show ip dhcp server excluded-address Verify the configuration of the excluded IP address. Step 11 Return to Privileged EXEC Mode. Step 12 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCP Server globally on the switch, configure the number of ping packets as 2 and configure the timeout period for ping tests as 200 ms: Switch#configure...
  • Page 577 Configuring DHCP Service DHCP Server Configuration The following example shows how to configure the 192.168.1.1 as the default gateway address and excluded IP address: Switch#configure Switch(config)#ip dhcp server excluded-address 192.168.1.1 192.168.1.1 Switch(config)#show ip dhcp server excluded-address Start IP Address End IP Address ------------- -------------- 192.168.1.1...
  • Page 578 Configuring DHCP Service DHCP Server Configuration Step 6 dns-server dns-server-list (Optional) Specify the DNS server of the DHCP server pool. In general, you can configure the IP address of the VLAN interface as the DNS server address. dns-server-list : Specify the IP address of the DNS server. You can specify up to 8 DNS servers for each DHCP server pool.
  • Page 579 Configuring DHCP Service DHCP Server Configuration Step 14 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a DHCP server pool with the parameters shown in Table 2-1. Table 2-1 Parameters for the DHCP Server Pool Parameter Value Pool Name...
  • Page 580 Configuring DHCP Service DHCP Server Configuration Switch(dhcp-config)#show ip dhcp server pool Pool Name: pool1 Network Address: 192.168.1.0 Subenet Mask: 255.255.255.0 Lease Time: 180 Default Gateway: 192.168.1.1 DNS Server: 192.168.1.4 Netbios Server: 192.168.1.19 Netbios Node Type: b-node Next Server Address: 192.168.1.30 Domain Name: Bootfile Name: bootfile...
  • Page 581 Configuring DHCP Service DHCP Server Configuration Step 3 Bind an IP address to a client: address ip-address client-identifier client-id Bind the specified IP address to the client with a specific hexadecimal client ID. ip-address: Specify the IP address to be bound. client-id: Specify the client ID in hexadecimal format.
  • Page 582 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay. Configure Option 82 if needed. 2) Specify DHCP server for the Interface or VLAN. 3.1 Using the GUI 3.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu L3 FEATURES >...
  • Page 583 Configuring DHCP Service DHCP Relay Configuration DHCP Relay Enable DHCP Relay globally. DHCP Relay Specify the DHCP relay hops. Hops DHCP Relay Hops defines the maximum number of hops (DHCP Relay agent) that the DHCP packets can be relayed. If a packet’s hop count is more than the value you set here, the packet will be dropped.
  • Page 584 Configuring DHCP Service DHCP Relay Configuration Remote ID Enable or disable Remote ID Customization. Enable it if you want to manually Customization configure the remote ID. Otherwise, the switch uses its own MAC address as the remote ID. Remote ID Enter the customized remote ID with up to 64 characters.
  • Page 585 Configuring DHCP Service DHCP Relay Configuration Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay to load the following page. Figure 3-3 Configure DHCP VLAN Relay Follow these steps to specify DHCP Server for the specific VLAN: 1) In the Default Relay Agent Interface section, specify a Layer 3 interface as the default relay agent interface.
  • Page 586 Configuring DHCP Service DHCP Relay Configuration VLAN ID Specify the VLAN in which the clients can get IP addresses from the DHCP server. Server Address Enter the IP address of the DHCP server. 3.2 Using the CLI 3.2.1 Enabling DHCP Relay Follow these steps to enable DHCP Relay and configure the corresponding parameters: Step 1 configure...
  • Page 587 Configuring DHCP Service DHCP Relay Configuration Switch(config)#service dhcp relay Switch(config)#show ip dhcp relay Switch(config)#ip dhcp relay hops 5 Switch(config)#ip dhcp relay time 10 DHCP relay state: enabled DHCP relay hops: 5 DHCP relay Time Threshold: 10 seconds Switch(config)#end Switch#copy running-config startup-config 3.2.2 (Optional) Configuring Option 82 Follow these steps to configure Option 82: Step 1...
  • Page 588 Configuring DHCP Service DHCP Relay Configuration Step 6 ip dhcp relay information circuit-id string (Optional) A default circuit ID is preset on the switch, and you can also run this command to customize the circuit ID. The circuit ID configurations of the switch and the DHCP server should be compatible with each other.
  • Page 589 Configuring DHCP Service DHCP Relay Configuration Switch(config-if)#end Switch#copy running-config startup-config 3.2.3 Configuring DHCP Interface Relay You can specify a DHCP server for a Layer 3 interface or for a VLAN. The following introduces how to configure DHCP Interface Relay and DHCP VLAN Relay, respectively. Follow these steps to DHCP Interface Relay: Step 1 configure...
  • Page 590 Configuring DHCP Service DHCP Relay Configuration The following example shows how to configure the DHCP server address as 192.168.1.7 on VLAN interface 66: Switch#configure Switch(config)#interface vlan 66 Switch(config-if)#ip helper-address 192.168.1.7 Switch(config-if)#show ip dhcp relay DHCP relay helper address is configured on the following interfaces: Interface Helper address ----------...
  • Page 591 Configuring DHCP Service DHCP Relay Configuration Step 2 Enter Layer 3 Interface Configuration Mode: Enter VLAN Interface Configuration Mode: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Enter Routed Port Configuration Mode: interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Enter Interface Configuration Mode.
  • Page 592 Configuring DHCP Service DHCP Relay Configuration The following example shows how to set the routed port 1/0/2 as the default relay agent interface and configure the DHCP server address as 192.168.1.8 on VLAN 10: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#no switchport Switch(config-if)# ip dhcp relay default-interface Switch(config-if)#exit Switch(config)#ip dhcp relay vlan 10 helper-address 192.168.1.8...
  • Page 593 Configuring DHCP Service DHCP L2 Relay Configuration DHCP L2 Relay Configuration To complete DHCP L2 Relay configuration, follow these steps: 1) Enable DHCP L2 Relay. 2) Configure Option 82 for ports. 4.1 Using the GUI 4.1.1 Enabling DHCP L2 Relay Choose the menu L3 FEATURES >...
  • Page 594 Configuring DHCP Service DHCP L2 Relay Configuration 4.1.2 Configuring Option 82 for Ports Choose the menu L3 FEATURES > DHCP Service > DHCP L2 Relay > Port Config to load the following page. Figure 4-2 Configure Option 82 for Ports Follow these steps to enable DHCP Relay and configure Option 82: 1) Select one or more ports to configure Option 82.
  • Page 595 Configuring DHCP Service DHCP L2 Relay Configuration Circuit ID Enable or disable Circuit ID Customization. Enable it if you want to manually Customization configure the circuit ID. Otherwise, the switch uses the default one when inserting Option 82 to DHCP packets. The default circuit ID is a 4-byte value which consists of 2-byte VLAN ID and 2-byte Port ID.
  • Page 596 Configuring DHCP Service DHCP L2 Relay Configuration The following example shows how to enable DHCP L2 Relay globally and for VLAN 2: Switch#configure Switch(config)#ip dhcp l2relay Switch(config)#ip dhcp l2relay vlan 2 Switch(config)#show ip dhcp l2relay Global Status: Enable VLAN ID: 2 Switch(config)#end Switch#copy running-config startup-config 4.2.2 Configuring Option 82 for Ports...
  • Page 597 Configuring DHCP Service DHCP L2 Relay Configuration Step 6 ip dhcp l2relay information circuit-id string (Optional) A default circuit ID is preset on the switch, and you can also run this command to customize the circuit ID. The circuit ID configurations of the switch and the DHCP server should be compatible with each other.
  • Page 598 Configuring DHCP Service DHCP L2 Relay Configuration Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 599 Configuring DHCP Service Configuration Examples Configuration Examples 5.1 Example for DHCP Server 5.1.1 Network Requirements As the network topology shows, the administrator uses the switch as the DHCP server to assign IP addresses to all the connected devices. The office computers need to obtain IP addresses dynamically, while the FTP server needs a fixed IP address.
  • Page 600 Configuring DHCP Service Configuration Examples Subnet Mask, Lease Time, Default Gateway and DNS Server as shown below. Click Create. Figure 5-3 Configuring DHCP Server Pool 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > Manual Binding and click to load the following page.
  • Page 601 Configuring DHCP Service Configuration Examples 5.1.4 Using the CLI 1) Enable DHCP Server. Switch#configure Switch(config)#service dhcp server 2) Specify the Pool Name, Network Address, Subnet Mask and Lease Time. Switch(config)#ip dhcp server pool pool Switch(dhcp-config)#network 192.168.0.0 255.255.255.0 Switch(dhcp-config)#lease 120 Switch(dhcp-config)#exit 3) Bind the specified IP address to the MAC address of the FTP server.
  • Page 602 Configuring DHCP Service Configuration Examples the switch. The Marketing department is connected to port 1/0/1 of the relay agent, and the R&D department is connected to port 1/0/2 of the relay agent. Figure 5-5 Network Topology for DHCP Interface Relay DHCP Server 192.168.0.59/24 VLAN 10 VLAN 20...
  • Page 603 Configuring DHCP Service Configuration Examples 5.2.3 Using the GUI ■ Configuring the DHCP Server 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > DHCP Server to load the following page. In the Global Config section, enable DHCP Server globally. Figure 5-6 Configuring DHCP Server 2) Choose the menu L3 FEATURES >...
  • Page 604 Configuring DHCP Service Configuration Examples Figure 5-8 Configuring DHCP Pool 2 for VLAN 20 3) Choose the menu L3 FEATURES > Static Routing > IPv4 Static Routing and click to load the following page. Create two static routing entries for the DHCP server to make sure that the DHCP server can reach the clients in the two VLANs.
  • Page 605 Configuring DHCP Service Configuration Examples Figure 5-10 Creating the Static Routing Entry for VLAN 20 ■ Configuring the VLANs on the Relay Agent 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 for the Marketing department and add port 1/0/1 as an untagged port to the VLAN.
  • Page 606 Configuring DHCP Service Configuration Examples 2) On the same page, click again to create VLAN 20 for the R&D department and add port 1/0/2 as an untagged port to the VLAN. Figure 5-12 Creating VLAN 20 User Guide...
  • Page 607 Configuring DHCP Service Configuration Examples ■ Configuring the VLAN Interface and Routed Port on the Relay Agent 1) Choose the menu L3 FEATURES > Interface and click to load the following page. Create VLAN interface 10 and VLAN interface 20. Configure port 1/0/5 as the routed port.
  • Page 608 Configuring DHCP Service Configuration Examples Figure 5-15 Configuring the Routed Port ■ Configuring DHCP Interface Relay on the Relay Agent 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page. In the Global Config section, enable DHCP Relay, and click Apply.
  • Page 609 Configuring DHCP Service Configuration Examples Figure 5-18 Specify DHCP Server for Interface VLAN 20 3) Click to save the settings. 5.2.4 Using the CLI ■ Configurting the DHCP Server 1) Enable DHCP service globally. Switch#configure Switch(config)#service dhcp server 2) Create DHCP pool 1 and configure its network address as 192.168.2.0, subnet mask as 255.255.255.0, lease time as 120 minutes, default gateway as 192.168.2.1;...
  • Page 610 Configuring DHCP Service Configuration Examples Switch#copy running-config startup-config ■ Configuring the VLAN on the Relay Agent Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#switchport general allowed vlan 20 untagged Switch(config-if)#exit ■...
  • Page 611 Configuring DHCP Service Configuration Examples 2) Specify the DHCP server for the interface VLAN 10. Switch(config)#interface vlan 10 Switch(config-if)#ip helper-address 192.168.0.59 Switch(config-if)#exit 3) Specify the DHCP server for interface VLAN 20 Switch(config)#interface vlan 20 Switch(config-if)#ip helper-address 192.168.0.59 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay DHCP relay is enabled...
  • Page 612 Configuring DHCP Service Configuration Examples The network topology designed by the administrator is shown below. Figure 5-19 Network Topology for DHCP VLAN Relay DHCP Server 192.168.0.59/24 VLAN 10 VLAN 20 Gi1/0/2 Gi1/0/1 DHCP Relay Agent 192.168.0.1 Marketing Dept. R&D Dept. 5.3.2 Configuration Scheme In the given situation, the DHCP server and the computers are isolated by VLANs, so the DHCP request from the clients cannot be directly forwarded to the DHCP server.
  • Page 613 Configuring DHCP Service Configuration Examples 5.3.3 Using the GUI ■ Configuring the DHCP Server 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Server > DHCP Server to load the following page. In the Global Config section, enable DHCP Server globally. Figure 5-20 Configuring DHCP Server 2) Choose the menu L3 FEATURES >...
  • Page 614 Configuring DHCP Service Configuration Examples ■ Configuring the VLANs on the Relay Agent 1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 for the Marketing department and add port 1/0/1 as untagged port to the VLAN.
  • Page 615 Configuring DHCP Service Configuration Examples 2) On the same page, click again to create VLAN 20 for the R&D department and add port 1/0/2 as untagged port to the VLAN. Figure 5-23 Creating VLAN 20 ■ Configuring DHCP VLAN Relay on the Relay Agent 1) Choose the menu L3 FEATURES >...
  • Page 616 Configuring DHCP Service Configuration Examples VLAN interface 1 (the default management VLAN interface) as the default relay-agent interface. Click Apply. Figure 5-25 Specify the Default Relay Agent Interface 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP VLAN Relay and click to load the following page.
  • Page 617 Configuring DHCP Service Configuration Examples Switch(dhcp-config)#lease 120 Switch(dhcp-config)#default-gateway 192.168.0.1 Switch(dhcp-config)#dns-server 192.168.0.2 Switch(dhcp-config)#end Switch#copy running-config startup-config ■ Configuring the VLAN on the Relay Agent Switch#configure Switch(config)# vlan 10 Switch(config-vlan)#name Marketing Switch(config-vlan)#exit Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#switchport general allowed vlan 10 untagged Switch(config-if)#exit Switch(config)# vlan 20 Switch(config-vlan)#name RD Switch(config-vlan)#exit...
  • Page 618 Configuring DHCP Service Configuration Examples Verify the Configurations of the DHCP Relay Agent Switch#show ip dhcp relay Switch#show ip dhcp relay DHCP relay state: enabled DHCP relay default relay agent interface: Interface: VLAN 1 IP address: 192.168.0.1 DHCP vlan relay helper address is configured on the following vlan: vlan Helper address --------------------- -------------------------...
  • Page 619 Configuring DHCP Service Configuration Examples Figure 5-28 Network Topology for Option 82 in DHCP Relay DHCP Server 192.168.0.59/24 Gi1/0/1 Gi1/0/2 VLAN 2 VLAN 2 192.168.2.1/24 192.168.2.1/24 Switch A DHCP Relay 00:00:FF:FF:27:12 Group 1 Group 2 192.168.2.50-192.168.2.100 192.168.2.150-192.168.2.200 5.4.2 Configuration Scheme To meet the requirements, you can configure Option  82 in DHCP Relay on Switch A. With DHCP Relay enabled, the switch can forward DHCP requests and replies between clients and the server.
  • Page 620 Configuring DHCP Service Configuration Examples 5.4.3 Configuring the DHCP Relay Switch Using the GUI Follow these steps to configure DHCP relay and enable Option  82 in DHCP Relay on Switch A: 1) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Relay Config to load the following page.
  • Page 621 Configuring DHCP Service Configuration Examples 3) Choose the menu L3 FEATURES > DHCP Service > DHCP Relay > DHCP Interface Relay and click to load the following page. Specify the DHCP server address to assign IP addresses for clients in VLAN 2. Click Create. Figure 5-31 Specify DHCP Server for Interface VLAN 2 4) Click to save the settings.
  • Page 622 Configuring DHCP Service Configuration Examples DHCP relay state: enabled DHCP relay helper address is configured on the following interfaces: Interface Helper address ------------ ------------------- VLAN2 192.168.0.59 View port settings: Switch#show ip dhcp relay information interface Interface Option 82 Status Operation Strategy Format Circuit ID --------- ---------------- ------------------ -------...
  • Page 623 Configuring DHCP Service Configuration Examples Group Sub-option Type (Hex) Length (Hex) Value (Hex) Circuit ID 00:02:00:02 Remote ID 00:00:FF:FF:27:12 The configuration file /etc/dhcpd.conf of the Linux ISC DHCP Server is: ddns-update-style interim; ignore client-updates; # Create two classes to match the pattern of Option 82 in DHCP request packets from # Group 1 and Group 2, respectively.
  • Page 624 Configuring DHCP Service Configuration Examples 5.5 Example for DHCP L2 Relay 5.5.1 Network Requirements As the following figure shows, two groups of computers are connected to Switch A, and Switch A is connected to the DHCP server. All devices on the network are in the default VLAN 1.
  • Page 625 Configuring DHCP Service Configuration Examples 2) Configuring the DHCP Server The detailed configurations on the DHCP server may be different among different devices. You can refer to the related document that is for the DHCP server you use. Demonstrated with a Linux ISC DHCP Server, 5.5.4 Configuring the DHCP Server provides information about how to set its DHCP configuration file.
  • Page 626 Configuring DHCP Service Configuration Examples Figure 5-34 Configuring Port 1/0/1 3) On the same page, select port 1/0/2, enable Option 82 Support and select Option 82 Policy as Replace. You can configure other parameters according to your needs. In this example, keep Format as Normal and Remote ID Customization as Disabled. Enable Circuit ID Customization and specify the Circuit ID as Group2.
  • Page 627 Configuring DHCP Service Configuration Examples Switch(config)#ip dhcp l2relay Switch(config)#ip dhcp l2relay vlan 1 2) On port 1/0/1, enable Option  82 and select Option  82 Policy as Replace. You can configure other parameters according to your needs. In this example, keep Format as Normal and Remote ID Customization as Disabled.
  • Page 628 Configuring DHCP Service Configuration Examples Switch#show ip dhcp l2relay information interface gigabitEthernet 1/0/1 Interface Option 82 Status Operation Strategy Format Circuit ID ... --------- ---------------- ------------------ ------- --------- Gi1/0/2 Enable Replace Normal Group2 5.5.4 Configuring the DHCP Server Note: • Make sure the DHCP server supports Option 82 and more than one DHCP address pool.
  • Page 629 Configuring DHCP Service Configuration Examples # Similarly, the offset of the agent remote ID is 2 and the length is 6. class “Group1“ { match if substring (option agent.circuit-id, 2, 6) = “Group1” and substring (option agent.remote-id, 2, 6) = 00:00:ff:ff:27:12; class “Group2“...
  • Page 630 Configuring DHCP Service Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Server are listed in the following table. Table 6-1 Default Settings of DHCP Server Parameter Default Setting Global Config DHCP Server Disabled Option 60 None Option 138 None Ping Time Config Ping Packets...
  • Page 631 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting Manual Binding Pool Name None IP Address None Binding Mode Client ID Client Id None Hardware Address None Hardware Type Ethernet Default settings of DHCP Relay are listed in the following table. Table 6-2 Default Settings of DHCP Relay Parameter...
  • Page 632 Configuring DHCP Service Appendix: Default Parameters Parameter Default Setting DHCP VLAN Relay Interface ID None VLAN ID None Server Address None Default settings of DHCP L2 Relay are listed in the following table. Table 6-3 Default Settings of DHCP L2 Relay Parameter Default Setting Global Config...
  • Page 633 Part 21 Configuring ARP CHAPTERS 1. Overview 2. ARP Configurations 3. Appendix: Default Parameters...
  • Page 634 Configuring ARP Overview Overview ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. Taking an IP address as input, ARP learns the associated MAC address, and stores the IP-MAC address association in an ARP entry for rapid retrieval. Supported Features ARP Table The ARP table displays all the ARP entries, including dynamic entries and static entries.
  • Page 635 Configuring ARP Overview Figure 1-1 Proxy ARP Application VLAN Interfacce 3 VLAN Interfacce 2 192.168.2.1/24 192.168.3.1/24 192.168.2.10/16 192.168.3.20/16 Local Proxy ARP Local Proxy ARP is similar with Proxy ARP. As shown below, two hosts are in the same VLAN and connected to VLAN interface 1, but port 1/0/1 and port 1/0/2 are isolated on Layer 2. In this case, both of the hosts cannot receive each other’s ARP request.
  • Page 636 Configuring ARP ARP Configurations ARP Configurations With ARP configurations, you can: ■ View dynamic and static ARP entries. ■ Add or delete static ARP entries. To configure the Gratuitous ARP feature: ■ Configure the Gratuitous ARP globally and set the Gratuitous ARP sending interval To configure the Proxy ARP feature: ■...
  • Page 637 Configuring ARP ARP Configurations Type Displays the type of an ARP entry. Static: The entry is added manually and will always remain the same. Dynamic: The entry that will be deleted after the aging time leased. The default aging time value is 600 seconds. If you want to change the aging time, you can use the CLI to configure it.
  • Page 638 Configuring ARP ARP Configurations Figure 2-3 Configuring Gratuitous ARP Follow these steps to configure the Gratuitous feature for the interface. 1) In the Gratuitous ARP Global Settings section, configure the global parameters for gratuitous ARP. Then click Apply. Send on IP With this option enabled, the interface will send gratuitous ARP request packets Interface Status when its status becomes up.
  • Page 639 Configuring ARP ARP Configurations Figure 2-4 Configuring Proxy ARP Select the desired interface and enable proxy ARP. Then click Apply. IP Address Displays the IP address of the Layer 3 interface Subnet Mask Displays the subnet mask of the IP address. Status Enable proxy ARP feature on the interface.
  • Page 640 Configuring ARP ARP Configurations 2.2 Using the CLI 2.2.1 Configuring the ARP Entry ■ Adding Static ARP Entries Follow these steps to add static ARP entries: Step 1 configure Enter global configuration mode. arp ip mac type Step 2 Add a static ARP entry. : Enter the IP address of the static ARP entry.
  • Page 641 Configuring ARP ARP Configurations Step 1 configure Enter global configuration mode. Step 2 arp timeout timeout Configure the ARP aging time of the VLAN interface or routed port . timeout: Specify the value of aging time, which ranges from 1 to 3000 in seconds. The default value is 600 seconds.
  • Page 642 Configuring ARP ARP Configurations ■ Viewing ARP Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP entries: show arp [ ip ] [ mac ] Specify the IP address of your desired ARP entry. mac: Specify the MAC address of your desired ARP entry.
  • Page 643 Configuring ARP ARP Configurations Switch#configure Switch(config)#gratuitous-arp dup-ip-detected enable Switch(config)#gratuitous-arp intf-status-up enable Switch(config)#gratuitous-arp learning enable Switch(config)#show gratuitous-arp Send on IP interface Status up : Enabled Send on Duplicate IP Detected : Enabled Gratuitous ARP Learning : Enabled Interface Gratuitous ARP Periodical Send Interval --------- ------------------------------------------ Gi1/0/18...
  • Page 644 Configuring ARP ARP Configurations Step 4 show gratuitous-arp Show the gratuitous ARP configuration. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. This example shows how to configure the interval of sending gratuitous ARP packets for VLAN interface 1 as 10 seconds: Switch#configure Switch(config)#interface vlan 1...
  • Page 645 Configuring ARP ARP Configurations There are three types of Layer 3 interface can be enabled with Proxy ARP: routed port, port- channel and VLAN interface. interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |} no switch port Step 2...
  • Page 646 Configuring ARP ARP Configurations There are three types of Layer 3 interface can be enabled with Local Proxy ARP: routed port, port-channel and VLAN interface. interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |} no switch port Step 2...
  • Page 647 Configuring ARP Appendix: Default Parameters Appendix: Default Parameters Default ARP settings are listed in the following tables. Table 3-1 Default Gratuitous Settings Parameter Default Setting Send on IP Interface Status Up Enabled Send on Duplicate IP Detected Disabled Gratuitous ARP Learning Disabled Gratuitous ARP Periodical Send Interval 0 second...
  • Page 648 Part 22 Configuring QoS CHAPTERS 1. QoS 2. Class of Service Configuration 3. Bandwidth Control Configuration 4. Voice VLAN Configuration 5. Auto VoIP Configuration 6. Configuration Examples 7. Appendix: Default Parameters...
  • Page 649 Configuring QoS 1.1 Overview With network scale expanding and applications developing, internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, VoIP, etc.
  • Page 650 Configuring QoS can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure Voice VLAN or Auto VoIP. These two features can be enabled on the ports that transmit voice traffic only or transmit both voice traffic and data traffic.
  • Page 651 Configuring QoS Class of Service Configuration Class of Service Configuration With class of service configurations, you can: ■ Configure port priority ■ Configure 802.1p priority ■ Configure DSCP priority ■ Specify the scheduler settings Configuration Guidelines ■ Select the priority mode that the ports trust according to your network requirements. A port can use only one priority to classify the ingress packets.
  • Page 652 Configuring QoS Class of Service Configuration 2.1 Using the GUI 2.1.1 Configuring Port Priority ■ Configuring the Trust Mode and Port to 802.1p Mapping Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-1 Configuring the Trust Mode and Port to 802.1p Mapping Follow these steps to configure the parameters of the port priority: 1) Select the desired ports, specify the 802.1p priority and set the trust mode as...
  • Page 653 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-2 Configuring the 802.1p to Queue Mapping In the 802.1p to Queue Mapping section, configure the mappings and click Apply. 802.1p Priority Displays the number of 802.1p priority.
  • Page 654 Configuring QoS Class of Service Configuration 2.1.2 Configuring 802.1p Priority ■ Configuring the Trust Mode Choose the menu QoS > Class of Service > Port Priority to load the following page. Figure 2-3 Configuring the Trust Mode Follow these steps to configure the trust mode: 1) Select the desired ports and set the trust mode as Trust 802.1p.
  • Page 655 Configuring QoS Class of Service Configuration ■ Configuring the 802.1p to Queue Mapping and 802.1p Remap For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS: Choose the menu QoS > Class of Service > 802.1p Priority to load the following page. Figure 2-4 Configuring the 802.1p to Queue Mapping and 802.1p Remap Follow these steps to configure the parameters of the 802.1p priority: 1) In the 802.1p to Queue Mapping section, configure the mappings and click Apply.
  • Page 656 Configuring QoS Class of Service Configuration 2) (Optional) In the 802.1p Remap section, configure the 802.1p to 802.1p mappings for ports and click Apply. 0 - 7 Select the number of 802.1p priority to which the desired 802.1p priority will be remapped.
  • Page 657 Configuring QoS Class of Service Configuration Queue Select the TC queue for the desired 802.1p priority. The packets with the desired 802.1p priority will be put in the corresponding queue. 2) (Optional) In the 802.1p Remap section, configure the 802.1p to 802.1p mappings and click Apply.
  • Page 658 Configuring QoS Class of Service Configuration Trust Mode Select the Trust mode as Trust DSCP. In this mode, the IP packets will be processed according to the DSCP priority configuration and the non-IP packets will be processed according to the port priority configuration. 2) Click Apply.
  • Page 659 Configuring QoS Class of Service Configuration ■ Configuring the DSCP to 802.1p Mapping and the DSCP Remap For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS: Choose the menu QoS > Class of Service >DSCP Priority to load the following page. Figure 2-8 Configuring the DSCP to 802.1p Mapping and the DSCP Remap Follow these steps to configure the DSCP Priority: 1) Select the desired port, configure the DSCP to 802.1p mapping and the DSCP remap.
  • Page 660 Configuring QoS Class of Service Configuration For T2600G-18TS: Choose the menu QoS > Class of Service >DSCP Priority to load the following page. Figure 2-9 Configuring the DSCP to 802.1p Mapping and the DSCP Remap Follow these steps to configure the DSCP Priority: 1) In the DSCP Priority Config section, configure the DSCP to 802.1p mapping and the DSCP remap.
  • Page 661 Configuring QoS Class of Service Configuration Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Figure 2-10 Specifying the Scheduler Settings (For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G- 52TS) User Guide...
  • Page 662 Configuring QoS Class of Service Configuration Figure 2-11 Specifying the Scheduler Settings (For T2600G-18TS) Follow these steps to configure the schedule mode: 1) In the Scheduler Config section, select the desired port. 2) Select the desired queue and configure the parameters. Queue TC-id Displays the ID number of priority Queue.
  • Page 663 Configuring QoS Class of Service Configuration Minimum Specify the minimum guaranteed bandwidth for the desired queue. The valid Bandwidth values are from 0 to 100 and 0 means Minimum Bandwidth is disabled. If the queue bandwidth calculated according to the weight is smaller than the minimum bandwidth, the switch will be forced to allocated the minimum bandwidth to the queue, and the other queue will share the rest bandwidth based on the weight.
  • Page 664 Configuring QoS Class of Service Configuration Step 5 show qos trust interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the trust mode of the ports. Step 6 show qos port-priority interface [fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel-id ] Verify the port to 802.1p mappings.
  • Page 665 Configuring QoS Class of Service Configuration The following example shows how to configure the trust mode of port 1/0/1 as untrust, map the port 1/0/1 to 802.1p priority 1 and map 802.1p priority 1 to TC3: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos trust mode untrust Switch(config-if)#qos port-priority 1 Switch(config-if)#exit...
  • Page 666 Configuring QoS Class of Service Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 qos trust mode { untrust | dot1p | dscp } Select the trust mode for the port.
  • Page 667 Configuring QoS Class of Service Configuration Step 3 For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS: interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. qos dot1p-remap { dot1p-priority } { new-dot1p-priority } (Optional) Specify the 802.1p to 802.1p mappings for the desired port.
  • Page 668 Configuring QoS Class of Service Configuration The following example shows how to configure the trust mode of port 1/0/1 as dot1p, map 802.1p priority 3 to TC4, and configure to map the original 802.1p 1 to 802.1p priority 3: Switch#configure Switch(config-if)#interface gigabitEthernet 1/0/1 Switch(config-if)#qos trust mode dot1p Switch(config-if)#exit...
  • Page 669 Configuring QoS Class of Service Configuration Step 1 configure Enter global configuration mode Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode.
  • Page 670 Configuring QoS Class of Service Configuration ■ Configuring the DSCP to 802.1p Mapping and DSCP Remap Follow these steps to configure the DSCP to 802.1p mapping and DSCP remap: Step 1 configure Enter global configuration mode Step 2 For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS: interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list }...
  • Page 671 Configuring QoS Class of Service Configuration Step 4 For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS: show qos dscp-map interface [fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel-id ] Verify the DSCP to queue mappings of ports. For T2600G-18TS: show qos dscp-map Verify the DSCP to queue mappings globally.
  • Page 672 Configuring QoS Class of Service Configuration Port Trust Mode -------- --------- ------ Gi1/0/1 trust DSCP Switch(config-if)#show qos cos-map -----+-----+-----+-----+-----+-----+-----+----+---- Tag |0 -----+-----+-----+-----+-----+-----+-----+----+---- TC |TC0 |TC1 |TC2 |TC4 |TC4 |TC5 |TC6 |TC7 -----+-----+-----+-----+-----+-----+-----+----+---- Switch(config-if)#show qos dscp-map interface gigabitEthernet 1/0/1 Gi1/0/1----LAG: N/A DSCP: DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ----...
  • Page 673 Configuring QoS Class of Service Configuration DSCP to 802.1P 6 ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 57 58 59 60 61 62 63 DSCP to 802.1P 7 ---- ---- ---- ---- ---- ---- ---- --- Switch(config-if)#show qos dscp-remap interface gigabitEthernet 1/0/1 Gi1/0/1----LAG: N/A DSCP: DSCP remap value 0...
  • Page 674 Configuring QoS Class of Service Configuration DSCP remap value 56 57 58 59 60 61 62 63 ---- ---- ---- ---- ---- ---- ---- ---- Switch(config-if)#end Switch#copy running-config startup-config 2.2.4 Specifying the Scheduler Settings Follow these steps to specify the scheduler settings to control the forwarding sequence of different TC queues when congestion occurs.
  • Page 675 Configuring QoS Class of Service Configuration Step 5 show qos queue interface [fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the scheduler settings.. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config Save the settings in the configuration file.
  • Page 676 Configuring QoS Bandwidth Control Configuration Bandwidth Control Configuration With bandwidth control configurations, you can: ■ Configure rate limit ■ Configure storm control 3.1 Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page. Figure 3-1 Configuring Rate Limit Follow these steps to configure the Rate Limit function: 1) Select the desired port and configure the upper rate limit to receive and send packets.
  • Page 677 Configuring QoS Bandwidth Control Configuration 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Configuring Storm Control Follow these steps to configure the Storm Control function: 1) Select the desired port and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL-frames (Unknown unicast frames).
  • Page 678 Configuring QoS Bandwidth Control Configuration Multicast Specify the upper rate limit for receiving multicast packets. The valid values Threshold (0- differ among different rate modes. The value 0 means the multicast threshold is 1,000,000) disabled. The multicast traffic exceeding the limit will be processed according to the Action configurations.
  • Page 679 Configuring QoS Bandwidth Control Configuration Step 3 bandwidth {ingress ingress-rate | egress egress-rate } Configure the upper rate limit for the port to receive and send packets. ingress-rate: Configure the upper rate limit for receiving packets on the port. The valid values are from 0 to 1000000 Kbps.
  • Page 680 Configuring QoS Bandwidth Control Configuration Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 3 storm-control rate-mode {kbps | ratio | pps} Specify the Rate Mode for the broadcast threshold, multicast threshold and UL-Frame...
  • Page 681 Configuring QoS Bandwidth Control Configuration Step 7 storm-control exceed {drop | shutdown} [recover-time time ] Specify the action and the recover time. The switch will perform the action when the traffic exceeds its corresponding limit. By default, it is drop. drop: Set the Action as Drop.
  • Page 682 Configuring QoS Voice VLAN Configuration Voice VLAN Configuration To complete the voice VLAN configurations, follow these steps: 1) Create a 802.1Q VLAN 2) Configure OUI addresses 3) Configure Voice VLAN globally 4) Add ports to Voice VLAN Configuration Guidelines ■ Before configuring voice VLAN, you need to create a 802.1Q VLAN for voice traffic. For details about 802.1Q VLAN Configuration, please refer to 802.1Q VLAN Configuration.
  • Page 683 Configuring QoS Voice VLAN Configuration Figure 4-1 Configuring OUI Addresses Follow these steps to configure the OUI addresses: 1) Click to load the following page. Figure 4-2 Creating an OUI Entry 2) Specify the OUI and the Description. Enter the OUI address of your voice devices. The OUI address is used by the switch to determine whether a packet is a voice packet.
  • Page 684 Configuring QoS Voice VLAN Configuration Figure 4-3 Configuring Voice VLAN Globally Follow these steps to configure voice VLAN globally: 1) Enable the voice VLAN feature and specify the parameters. VLAN ID Specify the 802.1Q VLAN ID to set the 802.1Q VLAN as the voice VLAN. Priority Select the priority that will be assigned to voice packets.
  • Page 685 Configuring QoS Voice VLAN Configuration Optional Status Displays the state of the Voice VLAN on the corresponding port. Active: Indicates that Voive VLAN function is enabled on the port. Inactive: Indicates that Voive VLAN function is disabled on the port. 2) Click Apply.
  • Page 686 Configuring QoS Voice VLAN Configuration Step 8 show voice vlan interface Verify the voice VLAN configuration information. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file. The following example shows how to show the OUI table, set VLAN 8 as voice VLAN, set the priority as 6 and enable voice VLAN feature on port 1/0/3: Switch#configure Switch(config)#show voice vlan oui-table...
  • Page 687 Configuring QoS Voice VLAN Configuration Gi1/0/2 disabled Down Gi1/0/3 enabled Gi1/0/4 disabled Down Gi1/0/5 disabled Down Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 688 Configuring QoS Auto VoIP Configuration Auto VoIP Configuration Configuration Guidelines ■ Before configuring Auto VoIP, you need to enable LLDP-MED on ports and configure the relevant parameters. For details about LLDP-MED configuration, please refer to LLDP Configurations. ■ Auto VoIP provide flexible solutions for optimizing the voice traffic. It can work with other features such as VLAN and Class of Service to process the voice packets with specific fields.
  • Page 689 Configuring QoS Auto VoIP Configuration Interface Mode Select the interface mode for the port. Disable: Disable the Auto VoIP function on the corresponding port. None: Allow the voice devices to use its own configuration to send voice traffic. VLAN ID: The voice devices will send voice packets with desired VLAN tag. If this mode is selected, it is necessary to specify the VLAN ID in the Value field.
  • Page 690 Configuring QoS Auto VoIP Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list } Enter interface configuration mode. Step 4 Select the interface mode for the port.
  • Page 691 Configuring QoS Auto VoIP Configuration Step 7 show auto-voip Verify the global state of Auto VoIP. Step 8 show auto-voip interface Verify the Auto VoIP configuration information of ports. Step 8 Return to privileged EXEC mode. Step 9 copy running-config startup-config Save the settings in the configuration file.
  • Page 692 Configuring QoS Auto VoIP Configuration Interface.Gi1/0/3 Auto-VoIP Interface Mode. Enabled Auto-VoIP Priority. Auto-VoIP COS Override. True Auto-VoIP DSCP Value. Auto-VoIP Port Status. Enabled Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 693 Configuring QoS Configuration Examples Configuration Examples 6.1 Example for Class of Service 6.1.1 Network Requirements As shown below, both RD department and Marketing department can access the internet. When congestion occurs, the traffic from two departments can both be forwarded and the traffic from the Marketing department should take precedence.
  • Page 694 Configuring QoS Configuration Examples Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 6.1.3 Using the GUI 1) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 and 1/0/2 as untrusted.
  • Page 695 Configuring QoS Configuration Examples Figure 6-3 Configuring the 802.1p to Queue Mappings 3) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Select the port 1/0/3 and set the scheduler type of TC-0 and TC-1 as Weighted. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5.
  • Page 696 Configuring QoS Configuration Examples Figure 6-4 Configuring the Egress Queue 4) Click to save the settings. 6.1.4 Using the CLI 1) Set the trust mode of port 1/0/1 as untrusted and specify the 802.1p priority as 1. Switch_A#configure Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#qos trust mode untrust Switch_A(config-if)#qos port-priority 1 Switch_A(config-if)#exit...
  • Page 697 Configuring QoS Configuration Examples Switch_A(config)#qos cos-map 1 0 4) Set the scheduler type of TC-0 and TC-1 as Weighted for egress port 1/0/3. Specify the queue weight of TC-0 as 1 and specify the queue weight of TC-1 as 5. Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#qos queue 0 mode wrr weight 1 Switch_A(config-if)#qos queue 1 mode wrr weight 5...
  • Page 698 Configuring QoS Configuration Examples Switch_A#show qos cos-map -----+-----+-----+-----+-----+-----+-----+----+---- Tag |0 -----+-----+-----+-----+-----+-----+-----+----+---- TC |TC1 |TC0 |TC2 |TC4 |TC4 |TC5 |TC6 |TC7 -----+-----+-----+-----+-----+-----+-----+----+---- Verify the scheduler mode of the egress port: Switch _A#show qos queue interface gigabitEthernet 1/0/3 Gi1/0/3----LAG: N/A Queue Schedule Mode Weight Min Bandwidth(%) ----- ---------- -----...
  • Page 699 Configuring QoS Configuration Examples Figure 6-5 Voice VLAN Application Topology Switch B Gi1/0/4 Switch A Gi1/0/1 Gi1/0/3 Gi1/0/2 VLAN 2 VLAN 3 IP Phone 1 IP Phone 2 PC 3 6.2.2 Configuration Scheme To implement this requirement, you can configure Voice VLAN to ensure that the voice traffic can be transmitted in the same VLAN and the data traffic is transmitted in another VLAN.
  • Page 700 Configuring QoS Configuration Examples Figure 6-6 Configuring VLAN 2 2) Click to load the following page. Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Click Create. User Guide...
  • Page 701 Configuring QoS Configuration Examples Figure 6-7 Configuring VLAN 3 3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Disable the Ingress Checking feature on port 1/0/1 and port 1/0/2 and specify the PVID as 2. Click Apply. User Guide...
  • Page 702 Configuring QoS Configuration Examples Figure 6-8 Specifying the Parameters of the Ports 4) Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Check the OUI table. Figure 6-9 Checking the OUI Table 5) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable Voice VLAN globally.
  • Page 703 Configuring QoS Configuration Examples Figure 6-10 Configuring Voice VLAN Globally 6) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Enable Voice VLAN on port 1/0/1 and port 1/0/2. Click Apply. Figure 6-11 Enabling Voice VLAN on Ports 7) Click to save the settings.
  • Page 704 Configuring QoS Configuration Examples Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/4 Switch_A(config-if)#switchport general allowed vlan 2 untagged Switch_A(config-if)#exit 2) Create VLAN 3 and add untagged port 1/0/3 and port 1/0/4 to VLAN 3. Switch_A(config)#vlan 3 Switch_A(config-vlan)#name VLAN3 Switch_A(config-vlan)#exit Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#switchport general allowed vlan 3 untagged...
  • Page 705 Configuring QoS Configuration Examples 00:60:B9 Default NITSUKO 00:D0:1E Default PINTEL 00:E0:75 Default VERILINK 00:E0:BB Default 3COM 00:04:0D Default AVAYA1 00:1B:4F Default AVAYA2 00:04:13 Default SNOM 5) Enable Voice VLAN globally. Specify the VLAN ID as 2 and set the priority as 7. Switch_A(config)#voice vlan 2 Switch_A(config)#voice vlan priority 7 6) Enable Voice VLAN on port 1/0/1 and port 1/0/2.
  • Page 706 Configuring QoS Configuration Examples VoiceVLAN active Gi1/0/1, Gi1/0/2, Gi1/0/4 VLAN3 active Gi1/0/3, Gi1/0/4 Verify the Voice VLAN configuration: Switch_A(config)#show voice vlan interface Voice VLAN ID Priority Interface Voice VLAN Mode Operational Status LAG --------- --------------- ------------------ Gi1/0/1 enabled Gi1/0/2 enabled Gi1/0/3 disabled Down...
  • Page 707 Configuring QoS Configuration Examples Figure 6-12 Auto VoIP Application Topology Switch B Gi1/0/2 Gi1/0/1 Switch A PC 10 IP Phone 10 6.3.2 Configuration Scheme To optimize voice traffic, configure Auto VoIP and LLDP-MED to instruct IP Phones to send traffic with desired DSCP priority. Voice traffic is put in the desired queue and data traffic is put in other queues according to the Class of Service configurations.
  • Page 708 Configuring QoS Configuration Examples Figure 6-13 Configuring Auto VoIP 2) Choose the menu QoS > Class of Service > Port Priority to load the following page. Set the trust mode of port 1/0/1 as trust DSCP. Click Apply. Figure 6-14 Configuring Port Priority 3) Choose the menu QoS >...
  • Page 709 Configuring QoS Configuration Examples Figure 6-15 Specifying the 802.1p priority for DSCP priority 63 4) Select port 1/0/1 and specify the 802.1p priority as 5 for other DSCP priorities. Click Apply. User Guide...
  • Page 710 Configuring QoS Configuration Examples Figure 6-16 Specifying the 802.1p priority for Other DSCP priorities 5) Choose the menu QoS > Class of Service > Scheduler Settings to load the following page. Select port 1/0/2. Set the scheduler mode as weighted and specify the queue weight as 1 for TC-5.
  • Page 711 Configuring QoS Configuration Examples Figure 6-17 Configuring the TC-5 for the Port 6) Select port 1/0/2. Set the scheduler mode as weighted and specify the queue weight as 10 for TC-7. Click Apply. User Guide...
  • Page 712 Configuring QoS Configuration Examples Figure 6-18 Configuring the TC-7 for the Port 7) Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config click Detail to of port1/0/1 to load the following page. Check the boxes of all the TLVs. Click Save. User Guide...
  • Page 713 Configuring QoS Configuration Examples Figure 6-19 Configuring the TLVs 8) Choose the menu L2 FEATURES > LLDP > LLDP-MED Config > Port Config to load the following page. Enable LLDP-MED on port 1/0/1. Click Apply. Figure 6-20 Enabling LLDP-MED on the Port 9) Click to save the settings.
  • Page 714 Configuring QoS Configuration Examples 6.3.4 Using the CLI 1) Enable Auto VoIP globally and specify the DSCP value of port 1/0/1 as 63. Switch_A#configure Switch_A(config)#auto-voip Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#auto-voip dscp 63 Switch_A(config-if)#exit 2) Set the trust mode of port 1/0/1 as trust DSCP. Specify the 802.1p priority as 7 for DSCP priority 63 and specify 802.1p priority as 5 for other DSCP priorities.
  • Page 715 Configuring QoS Configuration Examples Verify the configurations Verify the configuration of Auto VoIP: Switch_A(config)#show auto-voip Administrative Mode: Enabled Verify the Auto VoIP configuration of ports: Switch_A(config)#show auto-voip interface Interface.Gi1/0/1 Auto-VoIP Interface Mode. Disabled Auto-VoIP COS Override. False Auto-VoIP DSCP Value. Auto-VoIP Port Status.
  • Page 716 Configuring QoS Configuration Examples Switch_A(config)#show qos cos-map -----+-----+-----+-----+-----+-----+-----+----+---- Tag |0 -----+-----+-----+-----+-----+-----+-----+----+---- TC |TC1 |TC0 |TC2 |TC3 |TC4 |TC5 |TC6 |TC7 -----+-----+-----+-----+-----+-----+-----+----+---- Switch_A(config)#show qos dscp-map interface gigabitEthernet 1/0/1 Gi1/0/1----LAG: N/A DSCP: DSCP to 802.1P ---- ---- ---- ---- ---- ---- ---- ---- DSCP: 10 11 12 13 14 15 DSCP to 802.1P...
  • Page 717 Configuring QoS Configuration Examples DSCP to 802.1P 5 ---- ---- ---- ---- ---- ---- ---- --- Verify the configuration of LLDP-MED: Switch_A(config)#show lldp interface LLDP interface config: gigabitEthernet 1/0/1: Admin Status: TxRx SNMP Trap: Disabled Status ------ Port-Description System-Capability System-Description System-Name Management-Address Port-VLAN-ID...
  • Page 718 Configuring QoS Configuration Examples Extended Power Via MDI Inventory Management User Guide...
  • Page 719 Configuring QoS Appendix: Default Parameters Appendix: Default Parameters Default settings of Class of Service are listed in the following tables. Table 7-1 Default Settings of Port Priority Configuration Parameter Default Setting 802.1P Priority Trust Mode Untrusted Table 7-2 Default Settings of 802.1p to Queue Mapping 802.1p Priority Queues (8) Table 7-3...
  • Page 720 Configuring QoS Appendix: Default Parameters DSCP 802.1p Priority 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Table 7-5 Default Settings of DSCP Remap Configuration Original New DSCP Original New DSCP Original New DSCP DSCP...
  • Page 721 Configuring QoS Appendix: Default Parameters Table 7-6 Default Settings of Scheduler Settings Configuration Parameter Default Setting Scheduler Type Weighted Queue Weight Minimum Bandwidth Management Taildrop Type Default settings of Class of Service are listed in the following tables. Table 7-7 Default Settings of Bandwidth Control Parameter Default Setting...
  • Page 722 Configuring QoS Appendix: Default Parameters Table 7-10 Default Settings of Port Configuration Parameter Default Setting Voice VLAN Disabled Table 7-11 Default Settings of OUI Table Status Description 00:01:E3 Default SIEMENS 00:03:6B Default CISCO1 00:12:43 Default CISCO2 00:0F:E2 Default 00:60:B9 Default NITSUKO 00:D0:1E Default...
  • Page 723 Part 23 Configuring Access Security CHAPTERS 1. Access Security 2. Access Security Configurations 3. Appendix: Default Parameters...
  • Page 724 Configuring Access Security Access Security Access Security 1.1 Overview Access Security provides different security measures for accessing the switch remotely so as to enhance the configuration management security. 1.2 Supported Features Access Control This function is used to control the users’ access to the switch based on IP address, MAC address or port.
  • Page 725 Configuring Access Security Access Security Configurations Access Security Configurations With access security configurations, you can: ■ Configure the Access Control feature ■ Configure the HTTP feature ■ Configure the HTTPS feature ■ Configure the SSH feature ■ Configure the Telnet function ■...
  • Page 726 Configuring Access Security Access Security Configurations Control Mode Choose how to control the users’ access. IP-based: Only the users within a certain IP-range can access the switch via the specified interfaces MAC-based: Only the users with a certain MAC address can access the switch via the specified interfaces.
  • Page 727 Configuring Access Security Access Security Configurations ■ When the MAC-based mode is selected, the following window will pop up. Figure 2-3 Configuring Access Control Entry Based on MAC Address Access Select the interfaces where to apply the Access Control rule. If an interface is Interface unselected, all users can access the switch via it.
  • Page 728 Configuring Access Security Access Security Configurations Access Select the interfaces where to apply the Access Control rule. If an interface is Interface unselected, all users can access the switch via it. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login.
  • Page 729 Configuring Access Security Access Security Configurations HTTP HTTP function is based on the HTTP protocol. It allows users to manage the switch through a web browser. Port Specify the port number for HTTP service. 2) In the Session Config section, specify the Session Timeout and click Apply. Session The system will log out automatically if users do nothing within the Session Timeout...
  • Page 730 Configuring Access Security Access Security Configurations 2.1.3 Configuring the HTTPS Function Choose the menu SECURITY > Access Security > HTTPS Config to load the following page. Figure 2-6 Configuring the HTTPS Function 1) In the Global Config section, enable HTTPS function, select the protocol version that the switch supports and specify the port number for HTTPS.
  • Page 731 Configuring Access Security Access Security Configurations HTTPS Enable or disable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch. Protocol Select the protocol version for HTTPS. Make sure the protocol in use is Version compatible with that on your HTTPS client.
  • Page 732 Configuring Access Security Access Security Configurations 4) In the Number of Access Users section, enable Number Control function, specify the following parameters and click Apply. Number Control Enable or disable Number Control. With this option enabled, you can control the number of the users logging on to the web management page at the same time.
  • Page 733 Configuring Access Security Access Security Configurations 2.1.4 Configuring the SSH Feature Choose the menu SECURITY > Access Security > SSH Config to load the following page. Figure 2-7 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify following parameters.
  • Page 734 Configuring Access Security Access Security Configurations Protocol V1 Select Enable to enable SSH version 1. Protocol V2 Select Enable to enable SSH version 2. Idle Timeout Specify the idle timeout time. The system will automatically release the connection when the time is up. Maximum Specify the maximum number of the connections to the SSH server.
  • Page 735 Configuring Access Security Access Security Configurations 2.1.6 Configuring the Serial Port Parameters Choose the menu SECURITY > Access Security > Serial Port Config to load the following page. Figure 2-9 Configuring the Serial Port Parameters Configure the Baud Rate and click Apply. Baud Rate Configure the baud rate of the console connection.
  • Page 736 Configuring Access Security Access Security Configurations Step 2 ■ Use the following command to control the users’ access by limiting the IP address: user access-control ip-based enable Configure the control mode as IP-based. user access-control ip-based { ip-addr ip-mask } [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] Only the users within a certain IP-range can access the switch via the specified interfaces.
  • Page 737 Configuring Access Security Access Security Configurations Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the type of access control as IP-based. Set the IP address as 192.168.0.100, set the subnet mask as 255.255.255.0, and select snmp, telnet, http and https to apply the Access Control rule.
  • Page 738 Configuring Access Security Access Security Configurations Step 4 ip http max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTP server. The total number of users should be no more than 16. admin-num : Enter the maximum number of users whose access level is Admin.
  • Page 739 Configuring Access Security Access Security Configurations 2.2.3 Configuring the HTTPS Function Follow these steps to configure the HTTPS function: Step 1 configure Enter global configuration mode. Step 2 ip http secure-server Enable the HTTPS function. By default, it is enabled. Step 3 ip http secure-protocol { ssl3 | tls1 | tls11 | tls12 | all } Select the protocol version for HTTPS.
  • Page 740 Configuring Access Security Access Security Configurations Step 5 ip http secure-session timeout minutes Specify the Session Timeout time. The system will log out automatically if users do nothing within the Session Timeout time. minutes : Specify the timeout time, which ranges from 5 to 30 minutes. The default value is 10. Step 6 ip http secure-max-users admin-num operator-num poweruser-num user-num Specify the maximum number of users that are allowed to connect to the HTTPS server.
  • Page 741 Configuring Access Security Access Security Configurations number as 2. Download the certificate named ca.crt and the key named ca.key from the TFTP server with the IP address 192.168.0.100. Switch#configure Switch(config)#ip http secure-server Switch(config)#ip http secure-protocol all Switch(config)#ip http secure-ciphersuite 3des-ede-cbc-sha Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 2 2 2 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address...
  • Page 742 Configuring Access Security Access Security Configurations 2.2.4 Configuring the SSH Feature Follow these steps to configure the SSH function: Step 1 configure Enter global configuration mode. Step 2 ip ssh server Enable the SSH function. By default, it is disabled. Step 3 ip ssh version { v1 | v2 } Configure to make the switch support the corresponding protocol.
  • Page 743 Configuring Access Security Access Security Configurations Step 9 Return to privileged EXEC mode. Step 10 copy running-config startup-config Save the settings in the configuration file. Note: It will take a long time to download the key file. Please wait without any operation. The following example shows how to configure the SSH function.
  • Page 744 Configuring Access Security Access Security Configurations AES192-CBC: Disabled AES256-CBC: Disabled Blowfish-CBC: Disabled Cast128-CBC: Enabled 3DES-CBC: Disabled Data Integrity Algorithm: HMAC-SHA1: Disabled HMAC-MD5: Enabled Key Type: SSH-2 RSA/DSA Key File: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: “dsa-key-20160711” Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring the Telnet Function Follow these steps enable the Telnet function: Step 1...
  • Page 745 Configuring Access Security Access Security Configurations Step 1 configure Enter global configuration mode. Step 2 serial_port baud_rate { 9600 | 19200 | 38400 | 57600 | 115200 } Specify the baud rate of the console connection. 9600 | 19200 | 38400 | 57600 | 115200: Specify the communication baud rate on the console port.
  • Page 746 Configuring Access Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Access Security are listed in the following tables. Table 3-1 Default Settings of Access Control Configuration Parameter Default Setting Access Control Disabled Table 3-2 Default Settings of HTTP Configuration Parameter Default Setting HTTP...
  • Page 747 Configuring Access Security Appendix: Default Parameters Parameter Default Setting Idle Timeout 120 seconds Maximum Connections Port AES128-CBC Enabled AES192-CBC Enabled AES256-CBC Enabled Blowfish-CBC Enabled Cast128-CBC Enabled 3DES-CBC Enabled HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 3-5 Default Settings of Telnet Configuration Parameter Default Setting Telnet...
  • Page 748 Part 24 Configuring AAA CHAPTERS 1. Overview 2. AAA Configuration 3. Configuration Examples 4. Appendix: Default Parameters...
  • Page 749 Overview Overview AAA stands for authentication, authorization and accounting. On TP-Link switches, this feature is mainly used to authenticate the users trying to log in to the switch or get administrative privileges. The administrator can create guest accounts and an Enable password for other users.
  • Page 750 Configuring AAA AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA.
  • Page 751 Configuring AAA AAA Configuration ■ AAA Application List The switch supports the following access applications: Console, Telnet, SSH and HTTP. You can select the configured authentication method lists for each application. 2.1 Using the GUI 2.1.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server that is first added to the group has the highest priority and authenticates the users trying to access the switch.
  • Page 752 Configuring AAA AAA Configuration Accounting Port Specify the UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1x feature. Retransmit Specify the number of times a request is resent to the server if the server does not respond.
  • Page 753 Configuring AAA AAA Configuration 2.1.2 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu SECURITY >...
  • Page 754 Configuring AAA AAA Configuration Choose the menu SECURITY > AAA > Method Config to load the following page. Figure 2-5 Method List There are two default methods respectively for the Login authentication and the Enable authentication. You can edit the default methods or follow these steps to add a new method: 1) Click in the Authentication Login Method Config section or Authentication Enable Method Config section to add corresponding type of method list.
  • Page 755 Configuring AAA AAA Configuration Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on. local: Use the local database in the switch for authentication. none: No authentication is used.
  • Page 756 Configuring AAA AAA Configuration 2.1.5 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s). ■ On the Switch The local username and password for login can be configured in the User Management feature.
  • Page 757 Configuring AAA AAA Configuration 2.2 Using the CLI 2.2.1 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication. If multiple servers are added, the server with the highest priority authenticates the users trying to access the switch, and the others act as backup servers in case the first one breaks down.
  • Page 758 Configuring AAA AAA Configuration Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a RADIUS server on the switch. Set the IP address of the server as 192.168.0.10, the authentication port as 1812, the shared key as 123456, the timeout as 8 seconds and the retransmit number as 3.
  • Page 759 Configuring AAA AAA Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to add a TACACS+server on the switch. Set the IP address of the server as 192.168.0.20, the authentication port as 49, the shared key as 123456, and the timeout as 8 seconds.
  • Page 760 Configuring AAA AAA Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create a RADIUS server group named RADIUS1 and add the existing two RADIUS servers whose IP address is 192.168.0.10 and 192.168.0.20 to the group.
  • Page 761 Configuring AAA AAA Configuration Step 3 aaa authentication enable { method-list } { method1 } [ method2 ] [ method3 ] [ method4 ] Configure an Enable password method list. method-list Specify a name for the method list. method1/method2/method3/method4 Specify the authentication methods in order. The default methods include radius, tacacs, local and none.
  • Page 762 Configuring AAA AAA Configuration Switch#copy running-config startup-config 2.2.4 Configuring the AAA Application List You can configure authentication method lists on the following access applications: Console, Telnet, SSH and HTTP. ■ Console Follow these steps to apply the Login and Enable method lists for the application Console: Step 1 configure Enter global configuration mode.
  • Page 763 Configuring AAA AAA Configuration Module Login List Enable List Console Login1 Enable1 Telnet default default default default Http default default Switch(config-line)#end Switch#copy running-config startup-config ■ Telnet Follow these steps to apply the Login and Enable method lists for the application Telnet: Step 1 configure Enter global configuration mode.
  • Page 764 Configuring AAA AAA Configuration Switch(config-line)#show aaa global Module Login List Enable List Console default default Telnet Login1 Enable1 default default Http default default Switch(config-line)#end Switch#copy running-config startup-config ■ SSH Follow these steps to apply the Login and Enable method lists for the application SSH: Step 1 configure Enter global configuration mode.
  • Page 765 Configuring AAA AAA Configuration Switch(config-line)#enable authentication Enable1 Switch(config-line)#show aaa global Module Login List Enable List Console default default Telnet default default Login1 Enable1 Http default default Switch(config-line)#end Switch#copy running-config startup-config ■ HTTP Follow these steps to apply the Login and Enable method lists for the application HTTP: Step 1 configure Enter global configuration mode.
  • Page 766 Configuring AAA AAA Configuration Module Login List Enable List Console default default Telnet default default default default Http Login1 Enable1 Switch(config)#end Switch#copy running-config startup-config 2.2.5 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s).
  • Page 767 Configuring AAA AAA Configuration Step 2 Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } indicates that an unencrypted key will follow. password is a string with 31 characters at most, which can contain only English letters (case-sensitive), digits and 17 kinds of special characters.
  • Page 768 Configuring AAA AAA Configuration On TACACS+ server, configure the value of “enable 15“ as the Enable password in the configuration file. All the users trying to get administrative privileges share this Enable password. Tips: The logged-in guests can get administrative privileges by using the command enable- admin and providing the Enable password.
  • Page 769 Configuring AAA Configuration Examples Configuration Examples 3.1 Network Requirements As shown below, the switch needs to be managed remotely via Telnet. In addition, the senior administrator of the company wants to create an account for the less senior administrators, who can only view the configurations and some network information without the Enable password provided.
  • Page 770 Configuring AAA Configuration Examples Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.3 Using the GUI 1) Choose the menu SECURITY > AAA > RADIUS Config and click to load the following page.
  • Page 771 Configuring AAA Configuration Examples Figure 3-3 Add RADIUS Server 2 3) Choose the menu SECURITY > AAA > Server Group to load the following page. C lick . Specify the group name as RADIUS1 and the server type as RADIUS. Select 192.168.0.10 and 192.168.0.20 to from the drop-down list.
  • Page 772 Configuring AAA Configuration Examples Figure 3-5 Configure Login Method Config 5) On the same page, click in the Authentication Eanble Method Config section. Specify the Method List Name as MethodEnable and select the Pri1 as RADIUS1. Click Create to set the method list for the Enable password authentication. Figure 3-6 Configure Enable Method Config 6) Choose the menu SECURITY >...
  • Page 773 Configuring AAA Configuration Examples Figure 3-7 Configure AAA Application Config 7) Click to save the settings. 3.4 Using the CLI 1) Add RADIUS Server 1 and RADIUS Server 2 on the switch. Switch(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch(config)#radius-server host 192.168.0.20 auth-port 1812 key 123456 2) Create a new server group named RADIUS1 and add the two RADIUS servers to the server group.
  • Page 774 Configuring AAA Configuration Examples Verify the Configuration Verify the configuration of the RADIUS servers: Switch#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192.168.0.10 1812 1813 000AEB132397 123456 192.168.0.20 1812 1813 000AEB132397 123456 Verify the configuration of server group RADIUS1: Switch#show aaa group RADIUS1 192.168.0.10 192.168.0.20...
  • Page 775 Configuring AAA Appendix: Default Parameters Appendix: Default Parameters Default settings of AAA are listed in the following tables. Table 4-1 Parameter Default Setting Global Config AAA Feature Enabled RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit Timeout...
  • Page 776 Configuring AAA Appendix: Default Parameters Parameter Default Setting AAA Application List Login List: default console Enable List: default Login List: default telnet Enable List: default Login List: default Enable List: default Login List: default http Enable List: default User Guide...
  • Page 777 Part 25 Configuring 802.1x CHAPTERS 1. Overview 2. 802.1x Configuration 3. Configuration Example 4. Appendix: Default Parameters...
  • Page 778 ■ Client A client, usually a computer, is connected to the authenticator via a physical port. We recommend that you install TP-Link 802.1x authentication client software on the client hosts, enabling them to request 802.1x authentication to access the LAN.
  • Page 779 Configuring 802.1x 802.1x Configuration 802.1x Configuration To complete the 802.1x configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1x globally. 3) Configure 802.1x on ports. In addition, you can view the authenticator state. Configuration Guidelines 802.1x authentication and Port Security cannot be enabled at the same time. Before enabling 802.1x authentication, make sure that Port Security is disabled.
  • Page 780 Configuring 802.1x 802.1x Configuration 1) Configure the parameters of the RADIUS server. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
  • Page 781 Configuring 802.1x 802.1x Configuration Figure 2-3 Editing Server Group If you click , the following window will pop up. Specify a name for the server group, select the server type as RADIUS and select the IP address of the RADIUS server. Click Save. Figure 2-4 Adding Server Group ■...
  • Page 782 Handshake Enable or disable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP- Link 802.1x Client.
  • Page 783 Configuring 802.1x 802.1x Configuration VLAN Enable or disable the 802.1x VLAN assignment feature. 802.1x VLAN assignment is Assignment a technology allowing the RADIUS server to send the VLAN assignment to the port when the port is authenticated. If the assigned VLAN does not exist on the switch, the switch will create the related VLAN automatically, add the authenticated port to the VLAN and change the PVID based on the assigned VLAN.
  • Page 784 Configuring 802.1x 802.1x Configuration Select whether to enable the MAB (MAC-Based Authentication Bypass) feature for the port. With MAB feature enabled, the switch automatically sends the authentication server a RADIUS access request frame with the client’s MAC address as the username and password.
  • Page 785 Configuring 802.1x 802.1x Configuration Note: If a port is in an LAG, its 802.1x authentication function cannot be enabled. Also, a port with 802.1x authentication enabled cannot be added to any LAG. 2.1.4 View the Authenticator State Choose the menu SECURITY > 802.1x > Authenticator State to load the following page. Figure 2-8 View Authenticator State On this page, you can view the authentication status of each port: Port...
  • Page 786 Configuring 802.1x 802.1x Configuration 2.2 Using the CLI 2.2.1 Configuring the RADIUS Server Follow these steps to configure RADIUS: Step 1 configure Enter global configuration mode. Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ nas-id nas-id ] key { [ 0 ] string | 7 encrypted-string } Add the RADIUS server and configure the related parameters as needed.
  • Page 787 Configuring 802.1x 802.1x Configuration Step 6 aaa authentication dot1x default { method } Select the RADIUS group for 802.1x authentication. method: Specify the RADIUS group for 802.1x authentication. aaa accounting dot1x default { method } Select the RADIUS group for 802.1x accounting. method: Specify the RADIUS group for 802.1x accounting.
  • Page 788 Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#radius-server host 192.168.0.100 auth-port 1812 acct-port 1813 key 123456 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port Acct Port Timeout Retransmit NAS Identifier Shared key 192.168.0.100 1812...
  • Page 789 (Optional) Enable the Handshake feature. The Handshake feature is used to detect the connection status between the TP-Link 802.1x Client and the switch. Please disable Handshake feature if you are using other client softwares instead of TP-Link 802.1x Client. Step 6 dot1x vlan-assignment (Optional) Enable or disable the 802.1x VLAN assignment feature.
  • Page 790 Configuring 802.1x 802.1x Configuration Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-protocol pap Switch(config)#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled 802.1X VLAN Assignment State: Disabled Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring 802.1x on Ports Follow these steps to configure the port: Step 1 configure Enter global configuration mode.
  • Page 791 Configuring 802.1x 802.1x Configuration Step 5 dot1x guest-vlan vid (Optional) Configure guest VLAN on the port. vid: Specify the ID of the VLAN to be configured as the guest VLAN. The valid values are from 0 to 4094. 0 means that Guest VLAN is disabled on the port. The configured VLAN must be an existing 802.1Q VLAN.
  • Page 792 Configuring 802.1x 802.1x Configuration Step 12 Return to privileged EXEC mode. Step 13 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1x authentication on port 1/0/2, configure the control type as port-based, and keep other parameters as default: Switch#configure Switch(config)#interface gigabitEthernet 1/0/2 Switch(config-if)#dot1x...
  • Page 793 Configuring 802.1x 802.1x Configuration Step 3 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode. port: Enter the ID of the port to be configured. Step 4 dot1x auth-init [ mac mac-address ] Initialize the specific client.
  • Page 794 Configuring 802.1x Configuration Example Configuration Example 3.1 Network Requirements The network administrator wants to control access from the end users (clients) in the company. It is required that all clients need to be authenticated separately and only the authenticated clients can access the internet. 3.2 Configuration Scheme ■...
  • Page 795 Configuring 802.1x Configuration Example Figure 3-1 Network Topology Switch A Authenticator Gi1/0/3 Gi1/0/2 Gi1/0/1 RADIUS Server 192.168.0.10/24 Auth Port:1812 Client Client Client Demonstrated with T2600G-28TS acting as the authenticator, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.4 Using the GUI 1) Choose the menu SECURITY >...
  • Page 796 Configuring 802.1x Configuration Example 2) Choose the menu SECURITY > AAA > Server Group and click to load the following page. Specify the group name as RADIUS1, select the server type as RADIUS and server IP as 192.168.0.10. Click Create. Figure 3-3 Creating Server Group 3) Choose the menu SECURITY >...
  • Page 797 Configuring 802.1x Configuration Example Figure 3-6 Configuring Port 6) Click to save the settings. 3.5 Using the CLI 1) Configure the RADIUS parameters. Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius RADIUS1 Switch_A(aaa-group)#server 192.168.0.10 Switch_A(aaa-group)#exit Switch_A(config)#aaa authentication dot1x default RADIUS1 2) Globally enable 802.1x authentication and set the authentication protocol.
  • Page 798 Configuring 802.1x Configuration Example Switch_A(config)#interface gigabitEthernet 1/0/3 Switch_A(config-if)#no dot1x Switch_A(config-if)#exit Switch_A(config)#interface gigabitEthernet 1/0/1 Switch_A(config-if)#dot1x Switch_A(config-if)#dot1x port-method mac-based Switch_A(config-if)#dot1x port-control auto Switch_A(config-if)#exit Verify the Configurations Verify the global configurations of 802.1x authentication: Switch_A#show dot1x global 802.1X State: Enabled Authentication Protocol: Handshake State: Enabled 802.1X Accounting State: Disabled...
  • Page 799 Configuring 802.1x Configuration Example unauthorized Verify the configurations of RADIUS : Switch_A#show aaa global Module Login List Enable List Console default default Telnet default default default default Http default default Switch_A#show aaa authentication dot1x Methodlist pri1 pri2 pri3 pri4 default RADIUS1 Switch_A#show aaa group RADIUS1 192.168.0.10...
  • Page 800 Configuring 802.1x Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1x are listed in the following table. Table 4-1 Default Settings of 802.1x Parameter Default Setting Global Config 802.1x Authentication Disabled Authentication Method Handshake Enabled Accounting Disabled VLAN Assignment Disabled Port Config 802.1x Status...
  • Page 801 Part 26 Configuring Port Security CHAPTERS 1. Overview 2. Port Security Configuration 3. Appendix: Default Parameters...
  • Page 802 Configuring Port Security Overview Overview You can use the Port Security feature to limit the number of MAC addresses that can be learned on each port, thus preventing the MAC address table from being exhausted by the attack packets. In addtion, the switch can send a notification if the number of learned MAC addresses on the port exceeds the limit.
  • Page 803 Configuring Port Security Port Security Configuration Port Security Configuration 2.1 Using the GUI Choose the menu SECURITY > Port Security to load the following page. Figure 2-1 Port Security Follow these steps to configure Port Security: 1) Select one or more ports and configure the following parameters. Port Displays the port number.
  • Page 804 Configuring Port Security Port Security Configuration Learn Address Select the learn mode of the MAC addresses on the port. Three modes are Mode provided: Delete on Timeout: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Delete on Reboot: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually.
  • Page 805 Configuring Port Security Port Security Configuration Step 3 mac address-table max-mac-count { [max-number num ] [exceed-max-learned enable | disable] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ]} Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port.
  • Page 806 Configuring Port Security Port Security Configuration Switch(config-if)#mac address-table max-mac-count max-number 30 exceed-max- learned enable mode permanent status drop Switch(config-if)#show mac address-table max-mac-count interface gigabitEthernet 1/0/1 Port Max-learn Current-learn Exceed Max Limit Mode Status ---- --------- ----------- ---------- ------ -------- Gi1/0/1 disable permanent drop Switch(config-if)#end...
  • Page 807 Configuring Port Security Appendix: Default Parameters Appendix: Default Parameters Default settings of Port Security are listed in the following table. Table 3-1 Default Parameters of Port Security Parameter Default Setting Max Learned Number of Current Learned Number Exceed Max Learned Trap Disabled Learn Address Mode Delete on Timeout...
  • Page 808 Part 27 Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters...
  • Page 809 Configuring ACL Overview Overview ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more.
  • Page 810 Configuring ACL ACL Configuration ACL Configuration 2.1 Using the GUI 2.1.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System.
  • Page 811 Configuring ACL ACL Configuration 2) (Optional) Assign a name to the ACL 3) Click Create. Note: The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information. 2.1.3 Configuring ACL Rules Note: Every ACL has an implicit deny all rule at the end of an ACL rule list. That is, if an ACL is applied to a packet and none of the explicit rules match, then the final implicit deny all rule takes effect and the packet is dropped.
  • Page 812 Configuring ACL ACL Configuration In ACL Rules Table section, click and the following page will appear. Figure 2-4 Configuring the MAC ACL Rule Follow these steps to configure the MAC ACL rule: 1) In the MAC ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule.
  • Page 813 Configuring ACL ACL Configuration D-MAC/Mask Enter the destination MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. VLAN ID Enter the ID number of the VLAN to which the ACL will apply. EtherType Specify the EtherType to be matched using 4 hexadecimal numbers.
  • Page 814 Configuring ACL ACL Configuration Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
  • Page 815 Configuring ACL ACL Configuration Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page. Figure 2-9 Configuring the IP ACL Rule In ACL Rules Table section, click and the following page will appear. User Guide...
  • Page 816 Configuring ACL ACL Configuration Figure 2-10 Configuring the IP ACL Rule Follow these steps to configure the IP ACL rule: 1) In the IP ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL.
  • Page 817 Configuring ACL ACL Configuration S-IP/Mask Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.
  • Page 818 Configuring ACL ACL Configuration Figure 2-11 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-12 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected.
  • Page 819 Configuring ACL ACL Configuration Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one.
  • Page 820 Configuring ACL ACL Configuration In ACL Rules Table section, click and the following page will appear. Figure 2-16 Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule: 1) In the Combined ACL Rule section, configure the following parameters: User Guide...
  • Page 821 Configuring ACL ACL Configuration Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.
  • Page 822 Configuring ACL ACL Configuration IP ToS Specify an IP ToS value to be matched between 0 and 15. The default is No Limit. IP Pre Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit. User Priority Specify the User Priority to be matched.
  • Page 823 Configuring ACL ACL Configuration Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
  • Page 824 Configuring ACL ACL Configuration Configuring the IPv6 ACL Rule Click Edit ACL for an IPv6 ACL entry to load the following page. Figure 2-21 Configuring the IPv6 ACL Rule In ACL Rules Table section, click and the following page will appear. Figure 2-22 Configuring the IPv6 ACL Rule User Guide...
  • Page 825 Configuring ACL ACL Configuration Follow these steps to configure the IPv6 ACL rule: 1) In the IPv6 ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5.
  • Page 826 Configuring ACL ACL Configuration 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-23 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.
  • Page 827 Configuring ACL ACL Configuration Burst Size Specify the number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one.
  • Page 828 Configuring ACL ACL Configuration Configuring the Packet Content ACL Rule Note: Packet Content ACL is not available for T2600G-18TS. Click Edit ACL for a Packet Content ACL entry to load the following page. Figure 2-27 Configuring the Packet Content ACL Rule User Guide...
  • Page 829 Configuring ACL ACL Configuration In the Packet Content Offset Profile Global Config section, configure the Chunk Offset. Click Apply. Chunk0 Offset/ Enter the offset of a chunk. Packet Content ACL analyzes and processes data Chunk1 Offset/ packets based on 4 chunk match conditions, and each chunk can specify a Chunk2 Offset/ user-defined 4-byte segment carried in the packet’s first 128 bytes.
  • Page 830 Configuring ACL ACL Configuration Follow these steps to configure the Packet Content ACL rule: 1) In the Packet Content Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5.
  • Page 831 Configuring ACL ACL Configuration Figure 2-30 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.
  • Page 832 Configuring ACL ACL Configuration DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.
  • Page 833 Configuring ACL ACL Configuration ■ Binding the ACL to a Port Choose the menu SECURITY > ACL > ACL Binding > Port Binding and click load the following page. Figure 2-34 Binding the ACL to a Port Follow these steps to bind the ACL to a Port: 1) Choose ID or Name to be used for matching the ACL.
  • Page 834 Configuring ACL ACL Configuration Follow these steps to bind the ACL to a VLAN: 1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the drop-down list. 2) Enter the ID of the VLAN to be bound. 3) Click Create.
  • Page 835 Configuring ACL ACL Configuration Step 3 access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable} [ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination- mac-mask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ] Add a MAC ACL Rule.
  • Page 836 Configuring ACL ACL Configuration Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac 00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF Switch(config-mac-acl)#exit Switch(config)#show access-list 50 MAC access list 50 name: ACL_50 rule 5 permit logging disable smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config ■ IP ACL Step 1 configure Enter global configuration mode.
  • Page 837 Configuring ACL ACL Configuration dscp-value: Specify the DSCP value between 0 and 63. tos-value: Specify an IP ToS value to be matched between 0 and 15. pre-value: Specify an IP Precedence value to be matched between 0 and 7. frag {enable | disable}: Enable or disable matching of fragmented packets.
  • Page 838 Configuring ACL ACL Configuration ■ Combined ACL Step 1 configure Enter global configuration mode Step 2 access-list create acl-id [name acl-name ] Create a Combined ACL. acl-id: Enter an ACL ID. The ID ranges from 1000 to 1499. acl-name: Enter a name to identify the ACL. Step 3 access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address...
  • Page 839 Configuring ACL ACL Configuration protocol: Specify a protocol number between 0 and 255. s-port-number: With TCP or UDP configured as the protocol, specify the source port number. s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers.
  • Page 840 Configuring ACL ACL Configuration Step 2 access-list create acl-id [name acl-name ] Create an IPv6 ACL. acl-id: Enter an ACL ID. The ID ranges from 1500 to 1999. acl-name: Enter a name to identify the ACL. Step 3 access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [class class-value ] [flow-label flow-label-value ] [sip source-ip-address sip-mask source- ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port- number ] [d-port destination-port-number ] [tseg time-range-name ]...
  • Page 841 Configuring ACL ACL Configuration The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 1600 Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 1600 IPv6 access list 1600 name: ACL_1600 rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff...
  • Page 842 Configuring ACL ACL Configuration Step 4 access-list packet-content config acl-id-or-name rule { auto | rule-id } {deny | permit} logging { enable | disable } [chunk0 value mask0 mask ] [chunk1 value mask1 mask ] [chunk2 value mask2 mask ] [chunk3 value mask3 mask ] [tseg time-range-name ] Add rules to the ACL.
  • Page 843 Configuring ACL ACL Configuration Resequencing Rules You can resequence the rules by providing a Start Rule ID and Step value. Step 1 configure Enter global configuration mode. Step 2 access-list resequence acl-id-or-name start start-rule-id step rule-id-step-value Resequence the rules of the specific ACL. acl-id-or-name : Enter the ID or name of the ACL.
  • Page 844 Configuring ACL ACL Configuration Step 2 access-list action acl-id-or-name rule rule-id Configure the policy actions for an ACL rule. acl-id-or-name : Enter the ID or name of the ACL. rule-id : Enter the ID of the ACL rule. Step 3 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port.
  • Page 845 Configuring ACL ACL Configuration Switch(config-action)#redirect interface gigabitEthernet 1/0/4 Switch(config-action)#exit Switch(config)#show access-list 10 MAC access list 10 name: ACL_10 rule 5 permit logging disable action redirect Gi1/0/4 Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules.
  • Page 846 Configuring ACL ACL Configuration Switch#configure Switch(config)#access-list bind 1 interface vlan 4 gigabitEthernet 1/0/3 SSwitch(config)#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ----- ---------- ------------- ------- ---- ACL_1 Gi1/0/3 Ingress Port ACL_1 Ingress VLAN Switch(config)#end Switch#copy running-config startup-config 2.2.5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode: show access-list acl-id-or-name counter...
  • Page 847 Configuring ACL Configuration Example for ACL Configuration Example for ACL 3.1 Configuration Example for MAC ACL 3.1.1 Network Requirements A company forbids the employees in the R&D department to visit the internal forum during work hours. While the manager of the R&D department can get access to the internal forum without limitation.
  • Page 848 Configuring ACL Configuration Example for ACL ■ ACL Configuration Create a MAC ACL and configure the following rules for it: ■ Configure a permit rule to match packets with source MAC address 8C-DC-D4- 40-A1-79 and destination MAC address 40-61-86-FC-71-56. This rule allows the manager of R&D department to visit internal forum at any time.
  • Page 849 Configuring ACL Configuration Example for ACL Figure 3-3 Adding Period Time 3) After adding the Period Time, click Create to save the time range entry. Figure 3-4 Creating Time Range 4) Choose the menu SECURITY > ACL > ACL Config and click to load the following page.
  • Page 850 Configuring ACL Configuration Example for ACL Figure 3-5 Creating a MAC ACL 5) Click Edit ACL in the Operation column. Figure 3-6 Editing the MAC ACL 6) On the ACL configuration page, click Figure 3-7 Editing the MAC ACL 7) Configure rule 5 to permit packets with the source MAC address 8C-DC-D4-40-A1-79 and destination MAC address 40-61-86-FC-71-56.
  • Page 851 Configuring ACL Configuration Example for ACL Figure 3-8 Configuring Rule 5 8) In the same way, configure rule 15 to deny packets with destination MAC address 40- 61-86-FC-71-56 and apply the time range of work hours. User Guide...
  • Page 852 Configuring ACL Configuration Example for ACL Figure 3-9 Configuring Rule 15 9) Configure rule 25 to permit all the packets that do not match neither of the above rules. User Guide...
  • Page 853 Configuring ACL Configuration Example for ACL Figure 3-10 Configuring Rule 25 10) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind ACL 100 to port 1/0/2 to make it take effect. Figure 3-11 Binding the ACL to Port 1/0/2 User Guide...
  • Page 854 Configuring ACL Configuration Example for ACL 11) Click to save the settings. 3.1.4 Using the CLI 1) Create a time range entry . Switch#config Switch(config)#time-range Work_time Switch(config-time-range)#holiday include Switch(config-time-range)#absolute from 01/01/2018 to 01/01/2019 Switch(config-time-range)#periodic start 08:00 end 18:00 day-of-the-week 1,2,3,4,5 Switch(config-time-range)#end Switch#copy running-config startup-config 2) Create a MAC ACL.
  • Page 855 Configuring ACL Configuration Example for ACL rule 5 permit logging disable smac 8c:dc:d4:40:a1:79 smask ff:ff:ff:ff:ff:ff dmac 40:61:86:fc:71:56 dmask ff:ff:ff:ff:ff:ff rule 15 deny logging disable dmac 40:61:86:fc:71:56 dmask ff:ff:ff:ff:ff:ff tseg “Work_time” rule 25 permit logging disable Switch#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------...
  • Page 856 Configuring ACL Configuration Example for ACL 3.2.2 Configuration Scheme To meet the requirements above, you can set up packet filtering by creating an IP ACL and configuring rules for it. ■ ACL Configuration Create an IP ACL and configure the following rules for it: ■...
  • Page 857 Configuring ACL Configuration Example for ACL Figure 3-14 Editing IP ACL 3) On the ACL configuration page, click Figure 3-15 Editing IP AC 4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and destination IP address 10.10.80.0/24. Figure 3-16 Configuring Rule 1 User Guide...
  • Page 858 Configuring ACL Configuration Example for ACL 5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and TCP 443 (https service port). Figure 3-17 Configuring Rule 2 User Guide...
  • Page 859 Configuring ACL Configuration Example for ACL Figure 3-18 Configuring Rule 3 User Guide...
  • Page 860 Configuring ACL Configuration Example for ACL 6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-19 Configuring Rule 4 User Guide...
  • Page 861 Configuring ACL Configuration Example for ACL Figure 3-20 Configuring Rule 5 7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0. Figure 3-21 Configuring Rule 6 User Guide...
  • Page 862 Configuring ACL Configuration Example for ACL 8) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind ACL Marketing to port 1/0/1 to make it take effect. Figure 3-22 Binding the ACL to Port 1/0/1 9) Click to save the settings.
  • Page 863 Configuring ACL Configuration Example for ACL Switch(config)#access-list ip 500 rule 5 permit logging disable sip 10.10.70.0 sip-amask 255.255.255.0 protocol 17 d-port 53 d-port-mask ffff 5) Configure rule 6 to deny packets with source IP 10.10.70.0/24. Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask 255.255.255.0 6) Bind ACL500 to port 1.
  • Page 864 Configuring ACL Configuration Example for ACL 3.3 Configuration Example for Combined ACL 3.3.1 Network Requirements To enhance network security, a company requires that only the network administrator can log in to the switch through Telnet connection. The computers are connected to the switch via port 1/0/2.
  • Page 865 Configuring ACL Configuration Example for ACL ■ Binding Configuration Bind the Combined ACL to port 1/0/2 so that the ACL rules will be applied to the computer of the network administrator and the devices which are restricted to Telnet connection. Demonstrated with T2600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.
  • Page 866 Configuring ACL Configuration Example for ACL Figure 3-26 Editing Combined ACL 4) Configure rule 5 to permit packets with the source MAC address 6C-62-6D-F5-BA-48 and destination port TCP 23 (Telnet service port). User Guide...
  • Page 867 Configuring ACL Configuration Example for ACL Figure 3-27 Configuring Rule 5 5) Configure rule 15 to deny all the packets except the packet with source MAC address 6C-62-6D-F5-BA-48, and destination port TCP 23 (Telnet service port). User Guide...
  • Page 868 Configuring ACL Configuration Example for ACL Figure 3-28 Configuring Rule 15 6) In the same way, configure rule 25 to permit all the packets. The rule makes sure that all devices can get other network services normally. User Guide...
  • Page 869 Configuring ACL Configuration Example for ACL Figure 3-29 Configuring Rule 25 7) Choose the menu SECURITY > ACL > ACL Binding and click to load the following page. Bind the Policy ACL_Telnet to port 1/0/2 to make it take effect. User Guide...
  • Page 870 Configuring ACL Configuration Example for ACL Figure 3-30 Binding the ACL to Port 1/0/2 8) Click to save the settings. 3.3.4 Using the CLI 1) Create a Combined ACL. Switch#configure Switch(config)#access-list create 1000 name ACL_Telnet 2) Configure rule 5 to permit packets with the source MAC address 6C-62-6D-F5-BA-48 and destination port TCP 23 (Telnet service port).
  • Page 871 Configuring ACL Configuration Example for ACL Verify the Configurations Verify the Combined ACL 1000: Switch#show access-list 1000 Combined access list 1000 name: “ACL_Telnet” rule 5 permit logging disable smac 6c:62:6d:f5:ba:48 smask ff:ff:ff:ff:ff:ff type 0800 protocol 6 d-port 23 rule 15 deny logging disable type 0800 protocol 6 d-port 23 rule 25 permit logging disable Switch#show access-list bind ACL ID ACL NAME...
  • Page 872 Configuring ACL Appendix: Default Parameters Appendix: Default Parameters The default settings of ACL are listed in the following tables: Table 4-1 MAC ACL Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit Table 4-2 IP ACL Parameter Default Setting Operation Permit...
  • Page 873 Configuring ACL Appendix: Default Parameters Table 4-5 Packet Content ACL Parameter Default Setting Operation Permit Time-Range No Limit Table 4-6 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled User Guide...
  • Page 874 Configuring ACL User Guide...
  • Page 875 Part 28 Configuring IPv4 IMPB CHAPTERS 1. IPv4 IMPB 2. IP-MAC Binding Configuration 3. ARP Detection Configuration 4. IPv4 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
  • Page 876 Configuring IPv4 IMPB IPv4 IMPB IPv4 IMPB 1.1 Overview IPv4 IMPB (IP-MAC-Port Binding) is used to bind the IP address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that don’t match the binding entries with the IP Source Guard feature.
  • Page 877 Configuring IPv4 IMPB IP-MAC Binding Configuration IP-MAC Binding Configuration You can add IP-MAC Binding entries in three ways: ■ Manual Binding ■ Via ARP Scanning ■ Via DHCP Snooping Additionally, you can view, search and edit the entries in the Binding Table. 2.1 Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IP address, MAC address, VLAN ID and the Port number...
  • Page 878 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > Manual Binding and click to load the following page. Figure 2-1 Manual Binding Follow these steps to manually create an IP-MAC Binding entry: 1) Enter the following information to specify a host. Host Name Enter the host name for identification.
  • Page 879 Configuring IPv4 IMPB IP-MAC Binding Configuration 3) Enter or select the port that is connected to this host. 4) Click Apply. 2.1.2 Binding Entries via ARP Scanning With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts.
  • Page 880 Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Specify a VLAN ID. 2) In the Scanning Result section, select one or more entries and configure the relevant parameters. Then click Bind. Host Name Enter a host name for identification. IP Address Displays the IP address.
  • Page 881 Configuring IPv4 IMPB IP-MAC Binding Configuration Choose the menu SECURITY > IPv4 IMPB > IP-MAC Binding > DHCP Snooping to load the following page. Figure 2-3 DHCP Snooping Follow these steps to configure IP-MAC Binding via DHCP Snooping: 1) In the Global Config section, globally enable DHCP Snooping. Click Apply. 2) In the VLAN Config section, enable DHCP Snooping on a VLAN or range of VLANs.
  • Page 882 Configuring IPv4 IMPB IP-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCP snooping Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv4 IMPB >...
  • Page 883 Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
  • Page 884 Configuring IPv4 IMPB IP-MAC Binding Configuration Step 2 ip source binding hostname ip-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | arp-detection | ip-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
  • Page 885 Configuring IPv4 IMPB IP-MAC Binding Configuration 2.2.2 Binding Entries via DHCP Snooping Follow these steps to bind entries via DHCP Snooping: Step 1 configure Enter global configuration mode. Step 2 ip dhcp snooping Globally enable DHCP Snooping. ip dhcp snooping vlan vlan-range Step 3 Enable DHCP Snooping on the specified VLAN.
  • Page 886 Configuring IPv4 IMPB IP-MAC Binding Configuration VLAN ID: 5 Switch(config-if)#show ip dhcp snooping interface gigabitEthernet 1/0/1 Interface max-entries LAG --------- ----------- Gi1/0/1 Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port...
  • Page 887 Configuring IPv4 IMPB ARP Detection Configuration ARP Detection Configuration To complete ARP Detection configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Enable ARP Detection. 3) Configure ARP Detection on ports. 4) View ARP statistics. 3.1 Using the GUI 3.1.1 Adding IP-MAC Binding Entries In ARP Detection, the switch detects the ARP packets based on the binding entries in the IP-MAC Binding Table.
  • Page 888 Configuring IPv4 IMPB ARP Detection Configuration ARP Detect Enable or disable ARP Detection globally. Validate Source Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
  • Page 889 Configuring IPv4 IMPB ARP Detection Configuration Follow these steps to configure ARP Detection on ports: 1) Select one or more ports and configure the parameters. Trust Status Enable or disable this port to be a trusted port. On a trusted port, the ARP packets are forwarded directly without checked.
  • Page 890 Configuring IPv4 IMPB ARP Detection Configuration In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed. In the Illegal ARP Packet section, you can view the number of illegal ARP packets in each VLAN.
  • Page 891 Configuring IPv4 IMPB ARP Detection Configuration Step 4 ip arp inspection vlan vlan-list [ logging ] Enable ARP Detection on one or more 802.1Q VLANs that already exist. vlan-list : Enter the VLAN ID. The format is 1,5-9. logging: Enable the Log feature to make the switch generate a log when an ARP packet is discarded.
  • Page 892 Configuring IPv4 IMPB ARP Detection Configuration 3.2.3 Configuring ARP Detection on Ports Follow these steps to configure ARP Detection on ports: Step 1 configure Enter global configuration mode. Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.
  • Page 893 Configuring IPv4 IMPB ARP Detection Configuration Switch(config-if)#ip arp inspection burst-interval 2 Switch(config-if)#show ip arp inspection interface gigabitEthernet 1/0/2 Interface Trust state limit Rate(pps) Current speed(pps) Burst Interval Status LAG --------- ----------- --------------- ------------------ -------------- -------- --- Gi1/0/2 Enable Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to restore the port 1/0/1 that is in Down status to Normal status: Switch#configure...
  • Page 894 Configuring IPv4 IMPB IPv4 Source Guard Configuration IPv4 Source Guard Configuration To complete IPv4 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv4 Source Guard. 4.1 Using the GUI 4.1.1 Adding IP-MAC Binding Entries In IPv4 Source Guard, the switch filters the packets that do not match the rules of IPv4- MAC Binding Table.
  • Page 895 Configuring IPv4 IMPB IPv4 Source Guard Configuration Follow these steps to configure IPv4 Source Guard: 1) In the Global Config section, choose whether to enable the Log feature. Click Apply. Pv4 Source Enable or disable IPv4 Source Guard Log feature. With this feature enabled, the Guard Log switch generates a log when illegal packets are received.
  • Page 896 Configuring IPv4 IMPB IPv4 Source Guard Configuration Step 3 ip verify source { sip | sip+mac } Enable IP Source Guard for IPv4 packets. sip : Only the packet with its source IP address and port number matching the IP-MAC binding rules can be processed, otherwise the packet will be discarded.
  • Page 897 Configuring IPv4 IMPB Configuration Examples Configuration Examples 5.1 Example for ARP Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
  • Page 898 Configuring IPv4 IMPB Configuration Examples 3) Configure ARP Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. To prevent ARP flooding attacks, limit the speed of receiving the legal ARP packets on all ports. Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
  • Page 899 Configuring IPv4 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv4 IMBP > ARP Detection > Global Config to load the following page. Enable APP Detect, Validate Source MAC, Validate Destination MAC and Validate IP, and click Apply.
  • Page 900 Configuring IPv4 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ip source binding User1 192.168.0.31 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 arp-detection Switch_A(config)#ip source binding User1 192.168.0.32 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 arp-detection 2) Enable ARP Detection globally and on VLAN 1.
  • Page 901 Configuring IPv4 IMPB Configuration Examples Verify the Configuration Verify the IP-MAC Binding entries: Switch_A#show ip source binding Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.31 74:d3:45:32:b6:8d Gi1/0/1 ARP-D Manual User2 192.168.0.33 88:a9:d4:54:fd:c3 Gi1/0/2 ARP-D Manual Notice: 1.Here, ‘ARP-D’...
  • Page 902 Configuring IPv4 IMPB Configuration Examples 5.2 Example for IP Source Guard 5.2.1 Network Requirements As shown below, the legal host connects to the switch via port 1/0/1 and belongs to the default VLAN 1. It is required that only the legal host can access the network via port 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3.
  • Page 903 Configuring IPv4 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv4 IMPB > IPv4 Source Guard to load the following page. Enable IPv4 Source Guard Logging to make the switch generate logs when receiving illegal packets, and click Apply. Select ports 1/0/1-3, configure the Security Type as SIP+MAC, and click Apply.
  • Page 904 Configuring IPv4 IMPB Configuration Examples Figure 5-8 IPv4 Source Guard 3) Click to save the settings. 5.2.4 Using the CLI 1) Manually bind the IP address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IP Source Guard feature. Switch#configure Switch(config)#ip source binding legal-host 192.168.0.100 74:d3:45:32:b5:6d vlan 1 interface gigabitEthernet 1/0/1 ip-verify-source...
  • Page 905 Configuring IPv4 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 192.168.0.100 74:d3:45:32:b5:6d Gi1/0/1 IP-V-S Manual Notice: 1.Here, ‘ARP-D’ for ‘ARP-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the configuration of IP Source Guard: Switch#show ip verify source IP Source Guard log: Enabled Port Security-Type...
  • Page 906 Configuring IPv4 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCP Snooping Parameter Default Setting Global Config DHCP Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ARP Detection are listed in the following table: Table 6-2 ARP Detection...
  • Page 907 Configuring IPv4 IMPB Appendix: Default Parameters Parameter Default Setting Burst Interval 1 second ARP Statistics Auto Refresh Disabled Refresh Interval 5 seconds Default settings of IPv4 Source Guard are listed in the following table: Table 6-3 ARP Detection Parameter Default Setting Global Config IPv4 Source Guard Log: Disabled...
  • Page 908 Part 29 Configuring IPv6 IMPB CHAPTERS 1. IPv6 IMPB 2. IPv6-MAC Binding Configuration 3. ND Detection Configuration 4. IPv6 Source Guard Configuration 5. Configuration Examples 6. Appendix: Default Parameters...
  • Page 909 Configuring IPv6 IMPB IPv6 IMPB IPv6 IMPB 1.1 Overview IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN ID and the connected port number of the specified host. Basing on the binding table, the switch can prevent ND attacks with the ND Detection feature and filter the packets that don’t match the binding entries with the IPv6 Source Guard feature.
  • Page 910 Configuring IPv6 IMPB IPv6 IMPB Figure 1-1 Network Topology of ND Detection User A Trusted Untrusted Port Port Untrusted Port Switch Gateway Attacker IPv6 Source Guard IPv6 Source Guard is used to filter the IPv6 packets based on the IPv6-MAC Binding table. Only the packets that match the binding rules are forwarded.
  • Page 911 Configuring IPv6 IMPB IPv6-MAC Binding Configuration IPv6-MAC Binding Configuration You can add IPv6-MAC Binding entries in three ways: ■ Manual Binding ■ Via ND Snooping ■ Via DHCPv6 Snooping Additionally, you can view, search and edit the entries in the Binding Table. 2.1 Using the GUI 2.1.1 Binding Entries Manually You can manually bind the IPv6 address, MAC address, VLAN ID and the Port number...
  • Page 912 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Figure 2-1 Manual Binding Follow these steps to manually create an IPv6-MAC Binding entry: 1) Enter the following information to specify a host. Host Name Enter the host name for identification. IPv6 Address Enter the IPv6 address. MAC Address Enter the MAC address.
  • Page 913 Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.1.2 Binding Entries via ND Snooping With ND Snooping, the switch monitors the ND packets, and records the IPv6 addresses, MAC addresses, VLAN IDs and the connected port numbers of the IPv6 hosts. You can bind these entries conveniently.
  • Page 914 Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2) In the VLAN Config section, select one or more VLANs and enable ND Snooping. Click Apply. VLAN ID Displays the VLAN ID. Status Enable or disable ND Snooping on the VLAN. 3) In the Port Config section, configure the maximum number of entries a port can learn via ND snooping.
  • Page 915 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Choose the menu SECURITY > IPv6 IMPB > IPv6-MAC Binding > DHCPv6 Snooping to load the following page. Figure 2-3 DHCPv6 Snooping Follow these steps to configure IPv6-MAC Binding via DHCPv6 Snooping: 1) In the Global Config section, globally enable DHCPv6 Snooping. Click Apply. 2) In the VLAN Config section, enable DHCPv6 Snooping on a VLAN or range of VLANs.
  • Page 916 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Maximum Entries Configure the maximum number of binding entries a port can learn via DHCPv6 snooping. Displays the LAG that the port is in. 4) The learned entries will be displayed in the Binding Table. You can go to SECURITY > IPv6 IMPB >...
  • Page 917 Configuring IPv6 IMPB IPv6-MAC Binding Configuration VLAN ID Displays the VLAN ID. Port Displays the port number. Protect Type Select the protect type for the entry. The entry will be applied to to the specific feature. The following options are provided: None: This entry will not be applied to any feature.
  • Page 918 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 2 ipv6 source binding hostname ipv6-addr mac-addr vlan vlan-id interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id } { none | nd-detection | ipv6-verify-source | both } Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host.
  • Page 919 Configuring IPv6 IMPB IPv6-MAC Binding Configuration 2.2.2 Binding Entries via ND Snooping Follow these steps to bind entries via ND Snooping: Step 1 configure Enter global configuration mode. Step 2 ipv6 nd snooping Globally enable ND Snooping. ipv6 nd snooping vlan vlan-range Step 3 Enable ND Snooping on the specified VLAN.
  • Page 920 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Switch(config)#end Switch#copy running-config startup-config The following example shows how to configure the maximum number of entries that can be learned on port 1/0/1: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ipv6 nd snooping max-entries 1000 Switch(config-if)#show ipv6 nd snooping interface gigabitEthernet 1/0/1 Interface max-entries --------- -----------...
  • Page 921 Configuring IPv6 IMPB IPv6-MAC Binding Configuration Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable DHCPv6 Snooping globally and on VLAN 5, and set the maximum number of binding entries port 1/0/1 can learn via DHCPv6 snooping as 100: Switch#configure Switch(config)#ipv6 dhcp snooping...
  • Page 922 Configuring IPv6 IMPB ND Detection Configuration ND Detection Configuration To complete ND Detection configuration, follow these steps: 1) Add IPv6-MAC Binding entries. 2) Enable ND Detection. 3) Configure ND Detection on ports. 4) View ND statistics. 3.1 Using the GUI 3.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
  • Page 923 Configuring IPv6 IMPB ND Detection Configuration VLAN ID Displays the VLAN ID. Status Enable or disable ND Detection on the VLAN. Log Status Enable or disable Log feature on the VLAN. With this feature enabled, the switch generates a log when an illegal ND packet is discarded. 3.1.3 Configuring ND Detection on Ports Choose the menu SECURITY >...
  • Page 924 Configuring IPv6 IMPB ND Detection Configuration Choose the menu SECURITY > IPv6 IMPB > ND Detection > ND Statistics to load the following page. Figure 3-3 View ND Statistics In the Auto Refresh section, you can enable the auto refresh feature and specify the refresh interval, and thus the web page will be automatically refreshed.
  • Page 925 Configuring IPv6 IMPB ND Detection Configuration Step 3 ipv6 nd detection vlan vlan-range Enable ND Detection on the specified VLAN. vlan-range: Enter the vlan range in the format of 1-3, 5. Step 5 show ipv6 nd detection Verify the global ND Detection configuration. Step 6 Return to privileged EXEC mode.
  • Page 926 Configuring IPv6 IMPB ND Detection Configuration Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to configure port 1/0/1 as trusted port: Switch#configure Switch(config)#interface gigabitEthernet 1/0/1 Switch(config-if)#ipv6 nd detection trust Switch(config-if)#show ipv6 nd detection interface gigabitEthernet 1/0/1 Interface Trusted...
  • Page 927 Configuring IPv6 IMPB IPv6 Source Guard Configuration IPv6 Source Guard Configuration To complete IPv6 Source Guard configuration, follow these steps: 1) Add IP-MAC Binding entries. 2) Configure IPv6 Source Guard. 4.1 Using the GUI 4.1.1 Adding IPv6-MAC Binding Entries The ND Detection feature allows the switch to detect the ND packets based on the binding entries in the IPv6-MAC Binding Table and filter out the illegal ND packets.
  • Page 928 Configuring IPv6 IMPB IPv6 Source Guard Configuration Port Displays the port number. Security Type Select Security Type on the port for IPv6 packets. The following options are provided: Disable: The IP Source Guard feature is disabled on the port. SIPv6: Only the Packets with its source IPv6 address and port number matching the IPv6-MAC binding rules can be processed, otherwise the packet will be discarded.
  • Page 929 Configuring IPv6 IMPB IPv6 Source Guard Configuration Step 4 show ipv6 verify source [ interface { fastEthernet port | gigabitEthernet port | ten- gigabitEthernet port | port-channel port-channel-id } ] Verify the IP Source Guard configuration for IPv6 packets. Step 5 Return to privileged EXEC mode.
  • Page 930 Configuring IPv6 IMPB Configuration Examples Configuration Examples 5.1 Example for ND Detection 5.1.1 Network Requirements As shown below, User 1 and User 2 are legal IPv6 users in the LAN and connected to port 1/0/1 and port 1/0/2. Both of them are in the default VLAN 1. The router has been configured with security feature to prevent attacks from the WAN.
  • Page 931 Configuring IPv6 IMPB Configuration Examples 3) Configure ND Detection on ports. Since port 1/0/3 is connected to the gateway router, set port 1/0/3 as trusted port. Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu SECURITY >...
  • Page 932 Configuring IPv6 IMPB Configuration Examples Figure 5-3 Binding Entry for User 2 3) Choose the menu SECURITY > IPv6 IMBP > ND Detection > Global Config to load the following page. Enable ND Detection and click Apply. Select VLAN 1, change Status as Enabled and click Apply.
  • Page 933 Configuring IPv6 IMPB Configuration Examples Figure 5-5 Port Config 5) Click to save the settings. 5.1.4 Using the CLI 1) Manually bind the entries for User 1 and User 2. Switch_A#configure Switch_A(config)#ipv6 source binding User1 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 nd-detection Switch_A(config)#ip source binding User1 2001::6 88:a9:d4:54:fd:c3 vlan 1 interface gigabitEthernet 1/0/2 nd-detection 2) Enable ND Detection globally and on VLAN 1.
  • Page 934 Configuring IPv6 IMPB Configuration Examples Host IP-Addr MAC-Addr VID Port SOURCE ---- ------- -------- ---- ------ User1 2001::5 74:d3:45:32:b6:8d Gi1/0/1 ND-D Manual User2 2001::6 88:a9:d4:54:fd:c3 Gi1/0/2 ND-D Manual Notice: 1.Here, ‘ND-D’ for ‘ND-Detection’,and’IP-V-S’ for ‘IP-Verify-Source’. Verify the global configuration of ND Detection: Switch_A#show ipv6 nd detection Global Status: Enable Verify the ND Detection configuration on VLAN:...
  • Page 935 Configuring IPv6 IMPB Configuration Examples 1/0/1, and other unknown hosts will be blocked when trying to access the network via ports 1/0/1-3. Figure 5-6 Network Topology Legal Host 2001::5 74-D3-45-32-B6-8D GI1/0/1 GI1/0/2 GI1/0/3 Unknown Host Switch Unknown Host 5.2.2 Configuration Scheme To implement this requirement, you can use IPv6-MAC Binding and IPv6 Source Guard to filter out the packets received from the unknown hosts.
  • Page 936 Configuring IPv6 IMPB Configuration Examples Figure 5-7 Manual Binding 2) Choose the menu SECURITY > IPv6 IMPB > IPv6 Source Guard to load the following page. Select ports 1/0/1-3, configure the Security Type as SIPv6+MAC, and click Apply. Figure 5-8 IPv6 Source Guard 3) Click to save the settings.
  • Page 937 Configuring IPv6 IMPB Configuration Examples 5.2.4 Using the CLI 1) Manually bind the IPv6 address, MAC address, VLAN ID and connected port number of the legal host, and apply this entry to the IPv6 Source Guard feature. Switch#configure Switch(config)#ipv6 source binding legal-host 2001::5 74:d3:45:32:b6:8d vlan 1 interface gigabitEthernet 1/0/1 ipv6-verify-source 2) Enable IPv6 Source Guard on ports 1/0/1-3.
  • Page 938 Configuring IPv6 IMPB Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Snooping are listed in the following table: Table 6-1 DHCPv6 Snooping Parameter Default Setting Global Config DHCPv6 Snooping Disabled VLAN Config Status Disabled Port Config Maximum Entry Default settings of ND Detection are listed in the following table: Table 6-2 ND Detection...
  • Page 939 Configuring IPv6 IMPB Appendix: Default Parameters Default settings of IPv6 Source Guard are listed in the following table: Table 6-3 ND Detection Parameter Default Setting Port Config Security Type Disabled User Guide...
  • Page 940 Part 30 Configuring DHCP Filter CHAPTERS 1. DHCP Filter 2. DHCPv4 Filter Configuration 3. DHCPv6 Filter Configuration 4. Configuration Examples 5. Appendix: Default Parameters...
  • Page 941 Configuring DHCP Filter DHCP Filter DHCP Filter 1.1 Overview During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.
  • Page 942 Configuring DHCP Filter DHCP Filter DHCPv4 Filter DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients. DHCPv6 Filter DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients. User Guide...
  • Page 943 Configuring DHCP Filter DHCPv4 Filter Configuration DHCPv4 Filter Configuration To complete DHCPv4 Filter configuration, follow these steps: 1) Configure the basic DHCPv4 Filter parameters. 2) Configure legal DHCPv4 servers. 2.1 Using the GUI 2.1.1 Configuring the Basic DHCPv4 Filter Parameters Choose the menu SECURITY >...
  • Page 944 Configuring DHCP Filter DHCPv4 Filter Configuration Port Displays the port number. Status Enable or disable DHCPv4 Filter feature on the port. MAC Verify Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different.
  • Page 945 Configuring DHCP Filter DHCPv4 Filter Configuration 2.1.2 Configuring Legal DHCPv4 Servers Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page. Figure 2-2 Adding Legal DHCPv4 Server Follow these steps to add a legal DHCPv4 server: 1) Configure the following parameters: Server IP Address Specify the IP address of the legal DHCPv4 server.
  • Page 946 Configuring DHCP Filter DHCPv4 Filter Configuration Step 2 ip dhcp filter Enable DHCPv4 Filter globally. Step 3 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list Enter interface configuration mode.
  • Page 947 Configuring DHCP Filter DHCPv4 Filter Configuration The following example shows how to enable DHCPv4 Filter globally and how to enable DHCPv4 Filter, enable the MAC verify feature, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1: Switch#configure Switch(config)#ip dhcp filter Switch(config)#interface gigabitEthernet 1/0/1...
  • Page 948 Configuring DHCP Filter DHCPv4 Filter Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create an entry for the legal DHCPv4 server whose IP address is 192.168.0.100 and connected port number is 1/0/1 without client MAC address restricted: Switch#configure...
  • Page 949 Configuring DHCP Filter DHCPv6 Filter Configuration DHCPv6 Filter Configuration To complete DHCPv6 Filter configuration, follow these steps: 1) Configure the basic DHCPv6 Filter parameters. 2) Configure legal DHCPv6 servers. 3.1 Using the GUI 3.1.1 Configuring the Basic DHCPv6 Filter Parameters Choose the menu SECURITY >...
  • Page 950 Configuring DHCP Filter DHCPv6 Filter Configuration Status Enable or disable DHCPv6 Filter feature on the port. Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded.
  • Page 951 Configuring DHCP Filter DHCPv6 Filter Configuration 3.2 Using the CLI 3.2.1 Configuring the Basic DHCPv6 Filter Parameters Follow these steps to complete the basic settings of DHCPv6 Filter: Step 1 configure Enter global configuration mode. Step 2 ipv6 dhcp filter Enable DHCPv6 Filter globally.
  • Page 952 Configuring DHCP Filter DHCPv6 Filter Configuration Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. The following example shows how to enable DHCPv6 Filter globally and how to enable DHCPv6 Filter, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1: Switch#configure...
  • Page 953 Configuring DHCP Filter DHCPv6 Filter Configuration Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to create an entry for the legal DHCPv6 server whose IPv6 address is 2001::54 and connected port number is 1/0/1: Switch#configure Switch(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface...
  • Page 954 Configuring DHCP Filter Configuration Examples Configuration Examples 4.1 Example for DHCPv4 Filter 4.1.1 Network Requirements As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.
  • Page 955 Configuring DHCP Filter Configuration Examples 4.1.3 Using the GUI 1) Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply. Figure 4-2 Basic Config 2) Choose the menu SECURITY >...
  • Page 956 Configuring DHCP Filter Configuration Examples Figure 4-3 Create Entry for Legal DHCPv4 Server 3) Click to save the settings. 4.1.4 Using the CLI 1) Enable DHCPv4 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ip dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/1-28 Switch_A(config-if-range)#ip dhcp filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv4 server: Switch_A(config)#ip dhcp filter server permit-entry server-ip 192.168.0.200 client-mac...
  • Page 957 Configuring DHCP Filter Configuration Examples Verify the DHCPv4 Filter configuration on ports: Switch_A#show ip dhcp filter interface Interface state MAC-Verify Limit-Rate Dec-rate --------- ------- ---------- ---------- -------- Gi1/0/1 Enable Disable Disable Disable Gi1/0/2 Enable Disable Disable Disable Gi1/0/3 Enable Disable Disable Disable Gi1/0/4...
  • Page 958 Configuring DHCP Filter Configuration Examples Figure 4-1 Network Topology Legal DHCPv6 Server 2001::54 Gi1/0/1 Illegal DHCPv6 Switch A Server DHCPv6 Client DHCPv6 Client DHCPv6 Client 4.2.2 Configuration Scheme To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.
  • Page 959 Configuring DHCP Filter Configuration Examples Figure 4-2 Basic Config 2) Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create. Figure 4-3 Create Entry for Legal DHCPv6 Server 3) Click to save the settings.
  • Page 960 Configuring DHCP Filter Configuration Examples 4.2.4 Using the CLI 1) Enable DHCPv6 Filter globally and on all pots: Switch_A#configure Switch_A(config)#ipv6 dhcp filter Switch_A(config)#interface range gigabitEthernet 1/0/1-28 Switch_A(config-if-range)#ipv6 dhcp filter Switch_A(config-if-range)#exit 2) Create an entry for the legal DHCPv6 server: Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1 Switch_A(config)#end Switch_A#copy running-config startup-config...
  • Page 961 Configuring DHCP Filter Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCPv4 Filter are listed in the following table: Table 5-1 DHCPv4 Filter Parameter Default Setting Global Config DHCPv4 Filter Disabled Port Config Status Disabled MAC Verify Disabled Rate Limit Disabled Decline Protect Disabled...
  • Page 962 Part 31 Configuring DoS Defend CHAPTERS 1. Overview 2. DoS Defend Configuration 3. Appendix: Default Parameters...
  • Page 963 Configuring DoS Defend Overview Overview The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly.
  • Page 964 Configuring DoS Defend DoS Defend Configuration DoS Defend Configuration 2.1 Using the GUI Choose the menu SECURITY > DoS Defend to load the following page. Figure 2-1 DoS Defend Follow these steps to configure DoS Defend: 1) In the DoS Defend section, enable DoS Protection and click Apply. 2) In the DoS Defend Config section, select one or more defend types according to your needs and click Apply.
  • Page 965 Configuring DoS Defend DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less The attacker sends the illegal packet with its TCP SYN field set to 1 and source 1024...
  • Page 966 Configuring DoS Defend DoS Defend Configuration Step 2 ip dos-prevent Globally enable the DoS defend feature. Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping-flood | syn-flood | win-nuke | ping-of-death | smurf} Configure one or more defend types according to your needs.
  • Page 967 Configuring DoS Defend DoS Defend Configuration Step 6 copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable the DoS Defend type named land: Switch#configure Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent DoS Prevention State: Enabled Type...
  • Page 968 Configuring DoS Defend Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables. Table 3-1 DoS Defend Parameter Default Setting DoS Defend Disabled User Guide...
  • Page 969 Part 32 Monitoring the System CHAPTERS 1. Overview 2. Monitoring the CPU 3. Monitoring the Memory...
  • Page 970 Monitoring the System Overview Overview With System Monitor function, you can: ■ Monitor the CPU utilization of the switch. ■ Monitor the memory utilization of the switch. The CPU utilization should be always under 80%, and excessive use may result in switch malfunctions.
  • Page 971 Monitoring the System Monitoring the CPU Monitoring the CPU 2.1 Using the GUI Choose the menu MAINTENANCE > System Monitor > CPU Monitor to load the following page. Figure 2-1 Monitoring the CPU Click Monitor to enable the switch to monitor and display its CPU utilization rate every five seconds.
  • Page 972 Monitoring the System Monitoring the CPU The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | CPU Utilization Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------- User Guide...
  • Page 973 Monitoring the System Monitoring the Memory Monitoring the Memory 3.1 Using the GUI Choose the menu MAINTENANCE > System Monitor > Memory Monitor to load the following page. Figure 3-1 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every five seconds.
  • Page 974 Monitoring the System Monitoring the Memory Unit | Current Memory Utilization ------+---------------------------- | 74% User Guide...
  • Page 975 Part 33 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2. Appendix: Default Parameters...
  • Page 976 Monitoring Traffic Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor each port’s traffic information, including the traffic summary and traffic statistics in detail. 1.1 Using the GUI Choose the menu MAINTENANCE > Traffic Monitor to load the following page. Figure 1-1 Traffic Summary Follow these steps to view the traffic summary of each port: 1) To get the real-time traffic summary, enable Auto Refresh, or click Refresh.
  • Page 977 Monitoring Traffic Traffic Monitor Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted. Octets Rx: Displays the number of octets received on the port. Error octets are counted. Octets Tx: Displays the number of octets transmitted on the port. Error octets are counted . To view a port’s traffic statistics in detail, click Statistics on the right side of the entry.
  • Page 978 Monitoring Traffic Traffic Monitor Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets received on the port. Error frames are not counted.
  • Page 979 Monitoring Traffic Traffic Monitor Sent: Displays the detailed information of sent packets. Broadcast: Displays the number of valid broadcast packets transmitted on the port. Error frames are not counted. Multicast: Displays the number of valid multicast packets transmitted on the port. Error frames are not counted.
  • Page 980 Monitoring Traffic Traffic Monitor 1.2 Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port- channel port-channel-id ] port : The port number.
  • Page 981 Monitoring Traffic Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disabled Refresh Rate 10 seconds User Guide...
  • Page 982 Part 34 Mirroring Traffic CHAPTERS 1. Mirroring 2. Configuration Examples 3. Appendix: Default Parameters...
  • Page 983 Mirroring Traffic Mirroring Mirroring You can analyze network traffic and troubleshoot network problems using Mirroring. Mirroring allows the switch to send a copy of the traffic that passes through specified sources (ports, LAGs or the CPU) to a destination port. It does not affect the switching of network traffic on source ports, LAGs or the CPU.
  • Page 984 Mirroring Traffic Mirroring Figure 1-2 Configure the Mirroring Session Follow these steps to configure the mirroring session: 1) In the Destination Port Config section, specify a destination port for the mirroring session, and click Apply. 2) In the Source Interfaces Config section, specify the source interfaces and click Apply. Traffic passing through the source interfaces will be mirrored to the destination port.
  • Page 985 Mirroring Traffic Mirroring Note: • The member ports of an LAG cannot be set as a destination port or source port. • A port cannot be set as the destination port and source port at the same time. 1.2 Using the CLI Follow these steps to configure Mirroring.
  • Page 986 Mirroring Traffic Mirroring Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/1-3 both Switch(config)#monitor session 1 source cpu 1 both Switch(config)#show monitor session Monitor Session: Destination Port: Gi1/0/10 Source Ports(Ingress): Gi1/0/1-3 Source Ports(Egress): Gi1/0/1-3 Source CPU(Ingress): cpu1 Source CPU(Egress): cpu1 Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 987 Mirroring Traffic Configuration Examples Configuration Examples 2.1 Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 2-1 Network Topology Gi1/0/2-5 Gi1/0/1...
  • Page 988 Mirroring Traffic Configuration Examples 2) Click Edit on the above page to load the following page. In the Destination Port Config section, select port 1/0/1 as the destination port and click Apply. Figure 2-3 Destination Port Configuration 3) In the Source Interfaces Config section, select ports 1/0/2-5 as the source ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the destination port.
  • Page 989 Mirroring Traffic Configuration Examples Verify the Configuration Switch#show monitor session 1 Monitor Session: Destination Port: Gi1/0/1 Source Ports(Ingress): Gi1/0/2-5 Source Ports(Egress): Gi1/0/2-5 User Guide...
  • Page 990 Mirroring Traffic Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables. Table 3-1 Configurations for Ports Parameter Default Setting Ingress Disabled Egress Disabled User Guide...
  • Page 991 Part 35 Configuring sFlow (Only for Certain Devices) CHAPTERS 1. Overview 2. sFlow Configuration 3. Configuration Example 4. Appendix: Default Parameters...
  • Page 992 Configuring sFlow (Only for Certain Devices) Overview Overview Note: T2600G-18TS does not support sFlow. sFlow (Sampled Flow) is a technology for monitoring high-speed switched and routed networks. It provide complete visibility into network activity. With sFlow, you can analyze traffic statistics and monitor the network usage, thus implement effective management and control of network resources.
  • Page 993 Configuring sFlow (Only for Certain Devices) sFlow Configuration sFlow Configuration To complete the configuration, follow these steps: 1) Configure the sFlow Agent. 2) Configure the sFlow Collector. 3) Configure the sFlow Sampler. Configuration Guidelines To get analytic results, you should choose a proper collector. For details on sFlow collectors, refer to https://sflow.org.
  • Page 994 Configuring sFlow (Only for Certain Devices) sFlow Configuration 2.1.2 Configuring the sFlow Collector Choose the menu MAINTENANCE > sFlow > sFlow Collector to load the following page. Figure 2-2 Configuring the sFlow Collector Follow these steps to configure the sFlow Collector: 1) Select a Collector and configure the relevant parameters.
  • Page 995 Configuring sFlow (Only for Certain Devices) sFlow Configuration Choose the menu MAINTENANCE > sFlow> sFlow Sampler to load the following page. Figure 2-3 Configuring the sFlow Sampler Follow these steps to configure the sFlow Sampler: 1) Set one or more ports to be Samplers and configure the relevant parameters . One port can be bound to only one collector.
  • Page 996 Configuring sFlow (Only for Certain Devices) sFlow Configuration 2.2 Using the CLI Follow these steps to configure the sFlow: Step 1 configure Enter global configuration mode. Step 2 sflow address { ipv4-addr } Configure the IP address of sFlow Agent. ipv4-addr: Enter the management IP address of the switch to monitor traffic on the switch ports.
  • Page 997 Configuring sFlow (Only for Certain Devices) sFlow Configuration Step 7 show sflow { [ global ] | [ collector ] | [ sampler ] } Verify the sFlow configurations. global: View the global configuration of sFlow. collector: View the global configuration of the sFlow collector. sampler: View the global configuration of the sFlow sampler.
  • Page 998 Configuring sFlow (Only for Certain Devices) sFlow Configuration Port Collector IngRate EgRate MaxHeader ---------- ---------- ---------- ---------- ---------- Gi1/0/1 1024 Gi1/0/2 Gi1/0/3 Switch(config-if)#end Switch#copy running-config startup-config User Guide...
  • Page 999 Configuring sFlow (Only for Certain Devices) Configuration Example Configuration Example 3.1 Network Requirements The company network manager needs to monitor and analyze the network usage in department A. Figure 3-1 Network Topology Gi1/0/1 Gi1/0/2 Switch Department A IP: 192.168.0.26/24 IP: 192.168.0.27/24 3.2 Configuration Scheme The network manager can configure sFlow to monitor and analyze the network.
  • Page 1000 Configuring sFlow (Only for Certain Devices) Configuration Example Figure 3-3 Configuring sFlow Collector 3) Choose the menu MAINTENANCE > sFlow > sFlow Sampler to load the following page. Select Collector 1 for port 1/0/1, set the ingress rate as 1024, then click Apply. Figure 3-4 Configuring sFlow Sampler 4) Click to save the settings.

This manual is also suitable for:

T2600g-18tsT2600g-28tsTl-sg3424T2600g-28ts-dcT2600g-28mpsTl-sg3424p ... Show all

Table of Contents